Cybersecurity & Regtech: Defending The Bank



How can financial institutions proactively combat the risks facing the industry today? The 2018 Risk Survey—presented by Bank Director and Moss Adams LLP—compiled the insights of directors, chief executive officers and senior executives of U.S. banks with more than $250 million in assets. According to the survey, the worries keeping top executives awake at night align with the key priorities that banks commonly hear from banking regulators: cybersecurity, compliance and strategic risk.

Cybersecurity
Cybersecurity was the biggest concern by far, reported by 84 percent of respondents.

The survey addressed the confidence that executive and directors have in their institutions’ cybersecurity programs, with an emphasis on staffing and overall effectiveness. Access to the proper talent—in the form of a chief information security officer (CISO) or a strategic partner with the necessary skill set—and associated costs are key to a successful program, and 71 percent of respondents revealed their bank employs a full-time CISO.

While technical skills are valuable in today’s business environment, financial institutions must overcome their dependence on skilled technicians who don’t necessarily have the ability to strategically look at the changing technological landscape. The CISO should build an appropriate plan by taking a full view of the bank’s technology and strategy. Without this perspective, a bank could provide hackers with an opening to breach the institution, regardless of size or location.

Institutions building the foundation of a robust cybersecurity program should also focus on three key areas:

  • Assessment tools: Is the institution leveraging the proper technologies to help maximize the detection and containment of potential issues?
  • Risk assessments: Has management identified current risks to the organization and implemented proper mitigation strategies?
  • Data classification: Has management identified all critical data and its forms, and addressed the protection of this data in the risk-assessment process?

Compliance
Compliance was the second biggest area of concern, identified by 49 percent of respondents. It’s an area that continues to evolve as new regulators have been appointed to head the agencies that regulate the industry, and technological tools—dubbed regtech—have entered the marketplace.

More than half of survey respondents indicated that the introduction of regtech has increased their banks’ compliance budgets, demonstrating that the cost of solutions and staff to evaluate, deploy and support these efforts in an effective manner is a growing challenge.

Because the volume of available data and the ability to analyze that data continues to grow, respondents may have felt this technology should have effectively decreased the cost of operating a robust compliance program.

Executives looking to decrease costs may want to consider the staffing required to operate a compliance program and whether deploying technology would allow for fewer personnel. When technology is properly used and standards are developed to help guarantee efficient use of it, the dilemma of acquiring technology versus adding staff can often be more easily solved.

Strategic Risk
Strategic risk was the third largest area for concern, identified by 38 percent of respondents. Many directors and executives are wrestling with what the future holds for their institutions. The debate often boils down to one question: Should they continue to build branches or invest more in technology—either on their own or by partnering with fintech companies?

Fintech companies are a growing player in lending and payments segments, areas that were historically handled exclusively by traditional institutions. That, coupled with clients who no longer value personal relationships and instead prioritize being able to immediately access services via their devices, increases the pressure to deliver services via technology channels.

Financial institutions have entered what many would call a perfect storm. Every institution will need to make hard decisions about how to address these issues in a way that facilitates growth.

Assurance, tax, and consulting offered through Moss Adams LLP. Wealth management offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.

Digitization Inside and Out of the Boardroom


digitization-4-16-18.pngAs global businesses and markets are caught in a seemingly perpetual cycle of disruption and adjustment, company leadership and directors are tasked with finding new, innovative ways of communicating and working with shareholders in an increasingly complex and fragmented landscape. This is even more important given the massive technological advancements within the last decade, which have not only shifted the ways in which companies operate, but the means in which businesses and investors convey and share information.

Recent advancements in technology have transformed everyday business processes through digitization, which, in turn, has made cybersecurity a top priority. Moreover, they have made the world a much more connected place, facilitating business at a faster pace than ever before. To help company leadership adjust, new technologies have been developed to help directors and leadership teams improve collaboration and workflow.

Digitization
Today’s boards are going paperless, and the reality has become indisputable: directors are turning away from printed documents in favor of digital information that is easy to share and accessible on mobile platforms, like board portals.

Through digitization, directors are now accustomed to heightened levels of speed and efficiency across all business processes. With board portals, corporate secretaries and meeting managers are able to streamline board book creation and tighten information security. The benefits to this technology are clear: easy access to digital meeting information with user-friendly tools for assigning tasks, approvals, consent votes and secure messaging.

We have also observed a growing trend driving increased global demand for board portal solutions: the need to collaborate and share confidential information and documents across internal and external teams in a highly secured environment. The C-suite executives who already use our board portal tools for director-level collaboration are now expanding that capability across their organizations, all through a single sign-on service.

Cybersecurity
As businesses shift to digital platforms, data security plays a much bigger role. Companies must closely scrutinize how sensitive information is handled due to the risk of breaches. Cyberattacks are common and can result in significant financial and reputational damage; cybercrime damage costs are expected to total $6 trillion annually by 2021, according to CSO. This makes it especially important for boards and company leadership to take a strategic approach to data protection. Information is being shared in more rapid and innovative formats, and the methods in which boards communicate with shareholders will need to prioritize safety along with accessibility.

Protecting sensitive information should be at the top of a company’s concerns. This is why solutions should comply with strict encryption standards, multi-factor authentication and a completely cloud-less data storage system. Companies can also leverage machine learning and artificial intelligence (AI) to navigate and secure large volumes of data. These technologies can monitor and detect network anomalies that signal potential attacks and prevent further access before data is compromised.

Globalization
Due to the digitization of communication channels, we are now able to connect and do business in seconds with people halfway across the world. As technology brings us closer together, it breaks barriers to information accessibility. This ease of information exchange has impacted investing by virtually removing any impediments that once stood in the way of certain markets.

Increased ease of access to information around the world means companies, and particularly company leadership, should ensure key information is digestible for all stakeholders. That’s why being equipped with full translation services for common languages can be advantageous.

Moreover, as globalization continues to facilitate business and investing opportunities, shareholder bases are broader and more diverse than ever before. With the rise of passive investing, companies lack a level of transparency that allows them to know who their stakeholders are. For this reason, it is necessary to take advantage of tools and technologies that provide actionable insights into passive investment data and provide a more comprehensive picture of shareholders.

Looking Ahead
As technology continues to augment the ways in which companies operate, boards need to keep pace, ensuring they are communicating with their shareholders in the most efficient and preferred methods possible.

Shelter From the Cyber Storm


cybersecurity-11-16-17.pngIn 2014, the Federal Financial Institutions Examination Council issued a statement on behalf of its members—including the Federal Deposit Insurance Corp., the Federal Reserve, the Office of the Comptroller of the Currency and the Consumer Financial Protection Bureau—recommending that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC), an organization focused on threat intelligence analysis and sharing. Cybersecurity has been a growing issue for the U.S. economy and the banking industry, and cyber intelligence is a significant focus of the organization, as well as natural disasters, such as the recent hurricanes that hit Texas, Florida and Puerto Rico. “Participating in information-sharing forums is an important element of an institution’s risk management processes and its ability to identify, respond to, and mitigate cybersecurity threats and incidents,” the FFIEC said in the statement. “Financial institutions participating in information-sharing forums have improved their ability to identify attack tactics and successfully mitigate cyberattacks on their systems. Additionally, these institutions have gained deeper insight into specific vulnerabilities and collected methods for identifying vulnerabilities on their systems and enhancing controls.”

Resources like FS-ISAC help banks learn from each other about the cybersecurity threats facing the industry. But what happens when hackers hit your bank, and customers’ data is compromised?

Sheltered Harbor, an affiliate of FS-ISAC based in Reston, Virginia, was established following a series of cybersecurity simulation exercises, called the Hamilton Series, which were conducted by the Financial Services Coordinating Council, in coordination with the U.S. Dept. of the Treasury and with support from FS-ISAC. “These exercises are tabletop simulations of possible events with the goal to exercise, in the classic sense of practice, and to identify vulnerabilities that should be addressed by the industry,” says Steven Silberstein, the chief executive of Sheltered Harbor. “Sheltered Harbor is the industry’s response for one of these vulnerabilities: to ensure business continuity for retail banking customers if an attack happens, and all defenses fail.” The organization partners with member banks to ensure their customers’ accounts are safe should a cyberattack damage the bank’s data. If a bank is unable to recover from such an attack in a timely manner, the bank’s customers would still be able to access their accounts through another member financial institution. The data is encrypted and remains private, and there is no disruption in service for the customer.

Much like its parent organization, FS-ISAC, Sheltered Harbor helps banks work together to ensure the safety of consumer data. Regulators don’t require that banks join, but Sheltered Harbor already represents 63 percent of U.S. retail bank and brokerage accounts, according to the organization. Membership fees are based on a sliding scale and are determined by the size of the financial institution.

In this interview, Bank Director Director of Research Emily McCormick asks Silberstein about lessons learned from recent cyberattacks, and the policies and procedures that institutions should have in place to protect customers if a cyberattack damages account data.

BD: What are some lessons that bank boards should take to heart following recent cyberattacks, including the Equifax data breach?

Silberstein: Bank boards should have a tight pulse on the organization’s cybersecurity preparedness and cyber hygiene. Many corporations have cybersecurity scorecards that are updated and shared with the board of directors. These scorecards enable the board to assess the security of the enterprise and make appropriate decisions about strategy, staffing and internal standards.

In this rapidly evolving cyber environment, it’s important to use the most advanced technology to protect all of the “doors” to your company. Utilize scorecards as living and evolving tools to maintain a pulse on preparedness, and always ask what could happen from a business point of view, not just a cyber point of view. I call this healthy paranoia.

BD: What information should be included on those cybersecurity scorecards?

Silberstein: Each organization needs a consistent framework to continually assess risks, report on them, and respond to current and future risks. These include internal and external risks, existing vulnerabilities and remediation programs underway, recent events and lessons learned, organizational challenges, and third-party risk. Additionally, an organization can measure its cybersecurity implementation using frameworks like the Integrated Adaptive Cyber Defense, or IACD, framework and/or the National Institute of Standards and Technology [NIST] cybersecurity framework. Using the IACD framework, financial institutions can quickly prevent, detect and respond to attacks that may impact customers using technical guidelines for application of commercially available automation technology tools and systems. The NIST framework is about assessing risk and developing a risk management plan. The two frameworks complement each other.

BD: What does it mean when a financial institution becomes Sheltered Harbor ready?

Silberstein: When a financial institution becomes Sheltered Harbor ready, it means that it has implemented the additional resiliency prescribed by the Sheltered Harbor specification. At a high level, the model empowers financial institutions to securely store and rapidly restore customer account information using an industry standard format. Consumers would then benefit by having access to their accounts and basic transactions rapidly restored after a major incident at an institution.

BD: What policies, systems and personnel does the bank need to have in place in order to make this work?

Silberstein: First, most institutions are using a service provider for core banking services. Most large service providers are already implementing Sheltered Harbor capability, so for these institutions the focus is mainly on the business continuity planning that is specific to the Sheltered Harbor Model.

For institutions running their own core processing, an additional process of extracting customer account data, then putting the data into a standard format, encrypting it and finally storing the data in a very secure fashion per the specification encompasses most of the work. The institution must do some resiliency planning and organize a backup core service provider. The Sheltered Harbor specifications provide the controls and processes needed to ensure interoperability.

BD: The initiative helps member financial institutions store secure customer data above and beyond existing practices. Why should banks, particularly community banks, invest in putting this into in place?

Silberstein: Our industry’s investment in protecting everyone connected to financial institutions is second to none. Nevertheless, we cannot guarantee 100 percent protection. So if a financial institution is severely disabled, we need a safety net like Sheltered Harbor to protect consumers, allowing them to continue to manage daily financial transactions in their lives.

What Are the Costs of Cyberattacks?


cyberattack-9-11-17.pngBanks and other financial institutions are prime targets for hackers because criminals can gain access to financial and personal information that leads them to additional sources of funds. For the same amount of effort, corporate accounts give hackers access to much more data. Criminals are working hard to stay a step ahead of security experts, who are trying their best to protect corporate accounts.

Hackers are looking at the interconnectivity of mobile devices and other systems to find ways to squeeze in viruses and capture information. IT experts are also looking at how they can use interconnectivity to incorporate security tools for banks and other industries.

No system is as secure as banks would like for it to be, which makes it difficult for them to know how much insurance would be sufficient in the event of a breach if they are considering the purchase of coverage.

Any way you approach it, protecting against cyberattacks is an expensive proposition.

Banks and other financial institutions stand to lose more than funds and data. Other potential costs include the loss of brand reputation and losses due to exposure for not complying with security regulations.

Research from Kaspersky Lab and B2B International shows that the combined losses due to cybersecurity incidents cost banks about $1.75 million per incident, on average.

Several different things make corporate banking accounts difficult to protect. Corporations usually have multiple people listed on their accounts who need to be able to deposit, transfer and withdraw funds. Having different employees accessing the account on a regular basis, either in person or remotely, opens up opportunities for fraud. Transactions also tend to be larger on corporate accounts than on personal accounts, so there is more to lose.

Senior executives and directors don’t always understand the information that their tech departments provide about how they are protecting the bank’s various computer systems, so they have no way of assessing whether the security programs are effective. A 2017 report by MediaPro surveyed 809 employees working in the financial services industry and classified 80 percent of their employees as “risks” or “novices” relative to cybersecurity. Lack of awareness among financial services employees increases the risk of work practices that could lead to a security breach.

Cybersecurity expert Ariel Evans cautions managers at financial institutions to be aware of IT departments that take a “bottom-up approach” to cybersecurity, which only describes the implementation status of the control and stops at the system level, lacking the ability to detect vulnerabilities within the system. When these cybersecurity systems fail to tie in the business processes to the data assets and systems, the security essentially stops at the system level. A bank may have the most sophisticated, mature security system available, but its effectiveness is nil because it’s not being measured at all.

Evans recommends a top-down approach that ties the business impact of the assets and processes to cyber risk. This approach measures the risk posed to the assets and prioritizes remediation efforts. This information is also helpful to insurance providers since it provides them with more accurate information to offer cyber-risk insurance policies that cover adequate amounts in the event of a breach. (To learn more about why cybersecurity should be a concern for your organization, read this white paper written in conjunction with the NYSE to improve your cybersecurity practices.)

Financial institutions can protect their consumers with cyber risk insurance policies. Many experts question if banks are considering the full cost of what they would risk in the event of a cyberattack. Directors need to carefully assess if they have enough cyber risk insurance. Discussions will no doubt include weighing the cost of the insurance with the amount of protection it provides, due to the large amounts that could be lost in the event of a breach.

Having data about the effectiveness of cybersecurity systems is instrumental in keeping insurance premiums low enough to offset large liability limits.

Directors have a huge task in front of them as they make decisions about cybersecurity. They need to have assurance from the IT department that the security tools they use are mature and effective. They also need to understand all the layers of security, including making sure that they’ve taken steps to make employees aware of their responsibilities in keeping accounts secure. Finally, directors need to understand what their cyber risk insurance policies cover, as well as any limits, conditions and exclusions that apply.

What CEOs and Directors Need to Know About Their Bank’s Cyber Risks


cybersecurity-8-21-17.pngCybersecurity is quickly moving to the forefront of pressing concerns for financial institutions and their leaders. Regulators and examiners increasingly are expecting the board of directors and C-suite executives to obtain a greater familiarity with cyber threats and mitigation measures.

In May 2017, for example, the Federal Financial Institutions Examination Council (FFIEC) updated its Cybersecurity Assessment Tool (CAT), which was developed to help identify an institution’s risks and determine its preparedness. The FFIEC’s instructions for using the assessment explicitly contemplate the involvement of the chief executive officer and the board. Banks aren’t yet required to use CAT, but it’s expected to become mandatory eventually.

The message is clear—executives no longer can afford to take a hands-off approach to cybersecurity. They need to stay informed on critical security issues, and their chief information security officers (CISOs) should play a key role in keeping them up-to-date.

Role of the CISO
The CISO plays an advisory role, helping other C-suite executives make better, risk-informed decisions in the day-to-day execution of the bank’s operations. A CISO also can help design and implement the security strategy a bank deploys to effectively protect itself and its customers from known threats.

To provide the expected advisory services, the CISO must be aware of the current threats (including general threats, industry-specific threats and even institution-specific threats) confronting the bank. In addition to understanding this threat landscape, the CISO needs intimate knowledge of the bank’s ability to mitigate these threats, which includes evaluating the existence and effectiveness of the security program and its controls, and communicating the results to the C-suite.

Armed with measurements of the existence and effectiveness of the security program’s controls, the CISO can provide specific advice to the CEO and other C-suite members about the risks facing the bank and the additional steps that might be necessary.

The CISO regularly should brief executives on the following:

Status of Security Controls
Security controls—composed of people, processes and technology working together to mitigate specific threats—are the bedrock of any cybersecurity program. Executives must understand the status of such controls to know how well the bank is equipped to defend against threats.

Evaluating the status of such controls can be accomplished with dashboards that provide executives with a visual representation of all required security controls and the effectiveness of each. It is important for executives to understand how the effectiveness is measured. Is it a system that just measures the existence of the control, or is some form of measurement or testing done on the control? Historical metrics related to control implementation and effectiveness also are essential to provide perspective and illustrate progress (or lack thereof).

Status of Regulatory Compliance
Banks are subject to a broad and complex web of compliance obligations. Depending on the services they offer, applicable state and local regulations, and the types of information they process, the regulatory burden can differ dramatically among banks. For every financial institution, though, failure to comply can lead to fines, lawsuits and customer loss. The CISO should brief fellow C-suite executives on the bank’s current compliance status with all applicable laws and regulations. He or she also should update executives on how the bank is tracking and proactively preparing for potential regulatory changes.

Upcoming Security Initiatives
The CISO should explain current threats and the areas of risk that need to be addressed through various security initiatives, a measure which might require capital expenditures and approval from executive management. The explanation should cover not only where the security program stands today but also the overall direction going forward. Because this information can affect business initiatives that are not directly related to security, it facilitates risk-informed decision making.

Risk Management
Risk management is an ongoing process conducted by the security team to identify the areas with the highest level of risk based on known threats, weaknesses, controls and assets. In the end, the security team might determine that some identified risks are not sufficiently mitigated or that the residual risks remaining after the controls have been implemented are so considerable that they require new security initiatives. This information is vital for executives, as risks that aren’t adequately addressed must be considered when conducting business operations.

Know What You Know—And What You Don’t
No one, not even regulators and examiners, expect C-suite executives to be experts on cybersecurity issues. These executives should, however, understand their banks’ security posture so they can satisfy regulatory expectations and make better, risk-informed decisions for the overall business.

How to Respond to a Major Cyber Incident


cyber-8-17-17.pngFor many bank chief executive officers and their boards, it could be one of their worst nightmares: Hackers have penetrated their bank’s computer systems and possibly made off with highly sensitive customer information, and a series of decisions will have to be made very quickly under a great deal of pressure. What remedial action should be taken, and by whom? Who else should be involved as the bank responds to the situation? And what should the bank tell its customers and its regulators?

The author J.R.R. Tolkien once mused in his popular novel “The Hobbit” that “It does not do to leave a live dragon out of your calculations if you live near him.” The metaphorical dragon that bankers need to include in their calculations is a global army of hackers—some representing nation states, some just crooks and some a combination of the two—that has emerged as one of the greatest threats facing the banking industry today. As even the smallest, most conservative banks in the country continue to adopt an increasing array of digital strategies, the industry’s cyber risk exposure has increased accordingly. And that’s why when the cyber dragon attacks, bankers need a remediation plan that they can activate quickly.

It doesn’t have to be an enormously complex plan—and in fact, the simpler the better. Jena Valdetero, a partner at the law firm Bryan Cave who has lots of experience working with companies, including banks, that have been the target of cyber attacks, says she has seen incident response plans that were 35 pages long that become an encumbrance when responders have to move quickly. “We always say that it’s better to have a three- to five-page incident response plan that hits the highlights and that your team can easily learn, remember, absorb and train on than to have a much larger plan,” she says.

Dave McKnight, a senior manager who leads consulting firm Crowe Horwath’s incident management services, says that he follows the National Institute of Standards and Technology’s Computer Security Incident Handling Guide, which was issued in 2012. “Basically, what this says is, the lifecycle of an incident response program should be preparation, detection and analysis, containment, recovery and then a post-incident review,” McKnight says.

How a bank responds to an incident often depends on its size. Large banks will probably rely on an in-house cybersecurity team, possibly augmented by resources from an outside consulting team that it has on retainer. Most smaller banks that lack the necessary funding to support an in-house response team will rely more on outside firms to handle any incidents that occur. Typically, the response team would operate from what McKnight calls a “playbook,” which is essentially a set of reference materials that would lay out the steps that the response team should take depending on what kind of incident has occurred—ransomware versus denial of service, for example—guiding the team through the various stages including containment, removal and recovery.

“Then there should be some type of look-back activity on how that was handled,” says McKnight. “Was there an opportunity for improvement in either our documentation or our skill set? How do we enrich the rest of our process so that next time around, we do it better, faster and more inclusively?”

If the bank does expect to rely on outside consultants to assist in the remediation effort, McKnight says it’s important to have those arrangements made well in advance, in part because the bank can’t necessarily count on having immediate access those firms when an incident occurs. “Without a retainer, you don’t have a guarantee that someone is going to be available because these aren’t scheduled events,” he says of an attempted or successful hack. But merely having an outside firm on retainer isn’t enough, adds McKnight. The outside firm also needs to be thoroughly familiar with the bank’s operations, networks and cybersecurity defenses before an incident occurs. “I want [them] to understand what our plan and program and capabilities are,” he says. “That way [they’re] addressing my problems… [they’re] doing so swiftly and accurately and you’re not asking for stuff that you should know I don’t have. You’re asking for things I do have as soon as you need them.”

For banks that have a chief information security officer (CISO), this individual would typically quarterback the remediation effort, or, in the absence of a CISO, that role might be assigned to the chief information officer. But in a situation where a hacker has gained access to a bank’s computer systems, the remediation effort entails more than simply kicking them out, assessing the damage (including any loss of data) and putting a recovery plan in place. There often are stakeholders and customers to inform, as well, and possible impacts on the bank’s business. This means that the incident response team should include a wide range of executives throughout the organization.

In addition to the data personnel, members of the remediation team would typically include the bank’s chief executive officer and possibly the chief operating and chief financial officers, as well as members of the public relations team since it will most likely be necessary to communicate with the media in the event of a serious incident. “It really depends on how your organization is set up, but you want key stakeholders in the room—people with senior-level decision-making ability,” Valdetero says.

The board of directors typically does not have a hands-on role in the remediation effort, although the non-executive chairman (or lead director if the CEO also serves as board chairman) should be kept apprised of the remediation efforts as they unfold. Serious data breaches that involve the loss of funds or significant amounts of customer data can pose both a financial and reputational risk to the bank, which is of primary concern to the board of directors.

I think the role [of the board] is typically overseeing from a high level the management team and making sure they are responding adequately,” Valdetero says. This would include making sure the investigation is being conducted in a thorough manner, that the team has adequate resources and the bank is complying with all applicable laws.

Another important member of the team is the bank’s general counsel if it has one, or outside counsel if it doesn’t. This is critically important if the incident involves the loss of customer information. Valdetero says it’s desirable that banks conduct their investigation under the protection of attorney-client privilege, and a lawyer will provide that protection. “I approach these types of breaches… from my background as a litigator, and as a litigator you’re always thinking worst case scenario,” she explains. “If we are sued down the road as a result of this breach… what do you want to be able to protect from disclosure, if at all possible?” Valdetero adds that while underlying factual information cannot be protected from disclosure, “you can protect legal advice and specific communications that took place for the purpose of getting legal advice, and you need legal advice in these situations because there is a myriad of laws that might be implicated by a breach.”

The bank’s remediation team may also want to reach out to law enforcement agencies such as the Federal Bureau of Investigation or Secret Service in the event of a serious data breach. Phyllis Schneck, managing director and global leader of cyber solutions at Promontory Financial Group, advises banks to establish a relationship with these agencies in advance so a communication link already exists when an incident occurs. “Typically, you want your law enforcement relationships [established] ahead of time,” Schneck says. “You want to know who to call by first name, and they’ll do that for you. You do not want to be calling 1-800-law enforcement when your hair is on fire.”

Banks are required to inform their primary federal regulator when “the institution becomes aware of an incident involving unauthorized access or use of sensitive customer information…,” according to interagency guidance on data security issues. The guidance defines sensitive customer information as a customer’s name, address or telephone number, account number, credit or debit card number, or a personal identification number or password that would permit access to a customer’s account.

Banks also have a legal obligation under the guidance to inform their customers when a serious data breach has occurred. “Financial institutions have an affirmative duty to protect their customer’s data against unauthorized access or use,” the guidance states. “Notifying customers of a security incident involving the unauthorized access or use of the customer’s information… is a key part of that duty.”

What should customers be told and when should they be told it? “In my opinion, you should tell them exactly what’s going on and if you’ve run a good cybersecurity program that will be a good message,” Schneck says. “Everybody understands that these events will happen and that we can’t prevent them 100 percent. If you have a good program, you’ll be able to bounce back.” However, in the event of a serious data breach, the bank may find itself trying to balance the need to communicate to customers quickly that an incident has occurred that could negatively impact them, with the need to communicate the correct information.

When Target Corp. was hit with a massive data breach in December 2013, it originally estimated that approximately 40 million customers had been effected. But as Target dug deeper into the breach it was forced to announce later that approximately 70 million customers had been impacted, which suggested that the company was not in full control of the situation. Says Valdetero, “We usually advise clients, if they’re going to make public-facing statements, that generally you should not commit to a specific number of affected individuals.”

How Big Data is Helping Live Oak Bank Prevent Hacking


hacking-8-9.png

While there’s a myriad of technologies and companies on the market trying to make banking data more secure and prevent hacking, knowing which technologies and partners to choose from can be a daunting task. With cyber criminals looking for any conceivable way to get into banking systems, monitoring for potential threats can seem almost impossible. Think of cyber security as a house with multiple “points of access” for potential burglars, like windows or doors. The problem is that each digital access point, from branch networks to remote data centers, presents a distinct set of cyber security problems. This often leads banks to involve multiple software, solutions and partners. The result can be a disjointed cyber security strategy where banks are spread thin dealing with multiple vendors and systems.

That’s precisely the issue that Live Oak Bank—a North Carolina institution specializing in small business loans—faced as the bank’s employees were looking to improve their cybersecurity. Part of Live Oak’s promise to its customers is top-notch cyber security, but with their systems, the bank struggled to gain visibility into every potential point of access that cyber criminals might seek to exploit.

“We really wanted to protect ourselves across the board,” recalls Thomas Hill, chief technology officer at Live Oak. “But we had to address each potential security issue with separate technologies, which quickly became overwhelming. You’ve got to monitor all these devices and systems all the time, and be on top of them if—and when—a hacker comes in.”

Hill and Live Oak began evaluating options to respond to breaches quickly when they happen, and possibly detect them ahead of time. They decided to partner with Seattle-based cybersecurity company, DefenseStorm.

“Live Oak needed visibility into all areas of its network to support company-wide security and operational activities,” explains DefenseStorm chief technology officer Sean Cassidy. “With branches, staff and data centers located across the U.S., [employees] had multiple systems to monitor each point of access. They needed a way to consolidate visibility into each system, while still allowing the systems to continue operating as intended.”

DefenseStorm’sstack of cybersecurity capabilities includes real-time incident reporting, automated initial threat response and—most importantly—a proprietary big data engine built specifically for banks to analyze metadata patterns that could be indicative of a hack. Live Oak was then able to aggregate all their cyber security logs and event data into one analysis engine—with the objective of increasing visibility of security threats, and speeding up reaction time to potential breaches. They did this by implementing software that aggregates data from existing systems, and places it all into a single, easy-to-monitor dashboard. Incident tracking for compliance purposes also became more efficient, allowing the bank to report cyber incidents to state and federal regulatory agencies sooner than before.

“DefenseStorm’s incident response system allows me to not only easily see data indicating a potential hack, it allows me to immediately assign it to one of our engineers,” says Hill of Live Oak. “It really empowers them to focus in-depth on potential threats and dig deep to see if there’s a hack underway.”

DefenseStorm also continues to provide Live Oak with 24-hour monitoring and support through its so-called Guardian team, who are also responsible for offering assistance in investigating—and uncovering—potential threats. The Guardian team provides advice and recommendations to Live Oak on how to better secure its network in the future. This underscores the trend of“threat hunting,” as businesses and organizations seek to be more proactive in how they monitor systems for potential hackers.

Live Oak’s previous security system was unable to perform accurate and timely security analyses, mainly due to the increasingly large amount of data traffic occurring on the bank’s networks. Reaction time to security incidents has been greatly reduced, says Cassidy.

Finally, one of the most unique parts of this partnership is that Live Oak has chosen to participate as a proof of concept customer for features and capabilities of DefenseStorm’s software that are in the final stages of development. “With all the tools and support they provide, DefenseStorm is really turning out to be a Swiss Army knife for us—and potentially the entire banking industry,” says Hill. “This partnership has been a huge win.”

How a Board Can Become a Strategic Asset



Issues like cybersecurity, digital transformation and future business models now require the attention of not just management teams, but also bank boards. As directors engage more deeply in these issues, Bill Fisher of Diligent explains how they can enhance the effectiveness of the board to be a true strategic asset to the bank.

  • The Board’s Role as a Strategic Asset
  • Enhancing Board Effectiveness
  • Addressing Board Skills

Protecting Customers Through a Cybersecurity Control Tower


cybersecurity.png

Citizens National Bank of Texas, the third-oldest independent financial institution in the state, has remained deeply committed to its local community since its founding in 1868. The bank’s hometown, personalized approach to serving customers in the Dallas-Fort Worth area has played an integral role in its success. It was this focus on the surrounding community that led CNB to provide its customers with an extra layer of security by working with DefenseStorm, a Seattle-based provider of cloud based cybersecurity solutions.

As a full-service community bank with $859 million in assets, CNB aims to offer its customers the same service they would receive at any major, nationwide financial institution. This includes technology-driven services like online banking, mobile banking and bill pay. To offer these digital banking capabilities without exposing its network to new security vulnerabilities, CNB invested in security infrastructure and additional safeguards to protect customers and their financial information from potential cyber attacks. Although it had a solid system of security measures in place, the bank needed help monitoring its overall network activity and sought to increase the visibility of security threats.

This is where DefenseStorm comes in.

Heightened Visibility with a Cybersecurity Control Tower
DefenseStorm acts as security control tower for CNB to detect intrusions, investigate threats, take action to stop attacks and report on cybersecurity to regulators and the bank’s board of directors. Additionally, DefenseStorm’s team of security experts provides the bank with 24/7 monitoring support, triaging alerts and working alongside the bank to ensure the strongest security possible.

By constantly monitoring network activity and working with the bank to improve its security posture and quickly resolve incidents, DefenseStorm has helped CNB discover and neutralize at least 10 cyber threats in the past year.

Previously, the bank’s internal team would have to review and analyze all security event data. Now, the bank receives alerts in real time, which allows for a more efficient response and remediation process. Additionally, the bank uses DefenseStorm’s support ticketing feature to provide a clear, documented way to track events and how they are being handled.

Wade Jones, CNB’s senior vice president and chief information officer, values the extra support DefenseStorm provides. “It’s nice, the guardianship—having a security team sitting behind me watching the front line and letting me know if there’s something we need to work on,” says Jones.

Genuine Threat or False Alert?
CNB also leverages DefenseStorm’s search and reporting features, which enable the bank to transform complex and unstructured security event data from separate systems into meaningful, actionable insight. Oftentimes, systems will produce a constant stream of security alerts, many of which are not genuine threats, but which analysts must still review. With only eight hours in the workday, it can be difficult to assess each alert—and that can desensitize employees toward alerts, potentially resulting in a genuine threat being ignored. CNB has overcome this challenge and enacted a more proactive security response by sharpening its ability to interpret large sets of event data, so the bank is only notified if a threat is genuine. Now, the bank can quickly determine the scope of a threat and escalate the event into the remediation process with a click of a button.

The ability to provide a unified, comprehensive view of the bank’s network and systems is vital. “In our journey with DefenseStorm, we’ve brought everything together, log-wise, for all systems in the bank so we can take a more holistic approach,” says Mark Singleton, chief executive officer at CNB.

Enhancing Security without Expanding Staff
Furthermore, DefenseStorm brings a level of cybersecurity expertise that would be difficult for CNB to recruit in its own market. Given the shortage of cybersecurity talent across industries, hiring qualified candidates is challenging, especially for a small community bank, as professionals with advanced security credentials are typically hired by larger corporations. To make it worse, cyber criminals realize this, often assuming that a smaller bank has less sophisticated technology and fewer defenses. However, with DefenseStorm, CNB is able to provide an enhanced level of security, comparable to larger financial institutions, without hiring an extra security expert.

For community banks, business is personal. CNB realizes this and has invested in the infrastructure needed to safeguard its customers’ financial assets.

“Unlike big banks that never see their customers outside of work, we run into ours all the time—at church or at the grocery store,” says Singleton. “If we mess up, it’s our communities, our friends and our grandmothers who are ultimately affected. It’s our job to protect them and DefenseStorm helps us do that.”

New Rules for Financial Firms in New York Put New Onus on Boards


cybersecurity-7-10-17.pngNew York-based financial services companies are under a new rule of law, intended to protect consumers from the repercussions of a cyberattack and one that puts boards in a front-and-center role when it comes to the company’s security.

Touted as the first law of its kind in the United States, New York enacted new cybersecurity regulations this year, outlining standards that are sure to resonate beyond the financial businesses—such as banks, insurance companies and other financial services firms—that the law targets.

How Far Does Regulation Go?
Companies regulated by the state’s Department of Financial Services (DFS) are required as of March 1, 2017, to create and maintain a cybersecurity program to protect the privacy of consumers and the safety of the state’s financial services industry.

It only applies to those that DFS oversees—in other words, only financial services organizations must comply with the regulation.

New York’s rules, DFS notes, don’t extend to nonfinancial companies. There are limited exemptions for companies with fewer than 10 employees, less than $5 million in gross annual revenue or less than $10 million in year-end total assets.
Still, the message from New York is a strong one: consumers are protected here, and financial firms will be held accountable.

Several of the regulation’s mandates outline the ways in which a company must comply, and in doing so, vastly widens the base of those culpable for a breach and the requirements of a board to pay attention to its potential vulnerability and its cybersecurity planning.

New Duty for Board Members
The idea that board members should make cybersecurity a priority has risen over the years, coming into focus with the Target data breach in 2013 that resulted in members of the board of directors being sued.

In reality, banking regulators have held boards responsible for their banks’ cybersecurity program for years, as described in the Federal Financial Institutions Examination Council’s IT Examination HandBook.

In it, the banking regulators place oversight of the development, implementation and maintenance of the IT security program in the board’s hands, and say the board must hold senior management accountable for its actions and review the overall status of the program at least annually.

This new regulation expands on that. It requires board members to ensure that there’s a framework in place at the company “for a robust cybersecurity program,” and one “that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization.”

That means nontechnical leaders on the board must take an active role in security oversight.

For the first time, the new rules say the firm must hire a chief information security officer, or CISO, to oversee policies and ensure that they’re working effectively. The CISO would report at least annually to the board, the DFS says, and according to the regulation, that person can be employed by an affiliate or third-party provider instead of being employed by the company itself.

It’s not uncommon for companies to have much of the new regulation’s guidelines already in their processes, but it’s good to tie it to risk assessments. Lastly, as the law firm McGuireWoods notes, the new rules require penetration testing at least annually and vulnerability assessments at least quarterly. Among new provisions, institutions must track and maintain cybersecurity records for at least six years, encrypt sensitive data and report any cybersecurity event to the Department of Financial Institutions within 72 hours of becoming aware of it.

What Comes Next
Entities have varying times to comply with specific requirements, from 180 days to two years after the regulation went into effect in March. Financial companies outside of New York are likely to look at these regulations to get a sense of what’s coming for the greater industry.

To learn more about protecting your organization’s security as a member of a board, read this white paper written in conjunction with the New York Stock Exchange to improve your cybersecurity practices.