The emergence of a vibrant financial technology sector has dramatically changed the banking industry by enabling new products and services that cater to the needs and preferences of consumers in today’s digital age. In preparation for FinTech Week, an event that FinXTechis holding April 25-26 in New York, here is a look back at our recent coverage of emerging technology trends and innovation strategies for banks. These stories have appeared on the BankDirector.com website, and in digital and print versions of Bank Director magazine.
MAKING SENSE OF FINTECH LENDING MODELS
What type of fintech lending solution should your bank pursue? In this video, Mike Dillon of Akouba outlines what management teams and boards need to know about these lending models, and how each can benefit the bank.
PAYPAL’S BIG BET
The former eBay subsidiary is turning itself into a global payments powerhouse with mobile at the heart of its strategy.
COMMUNITY BANKS TO FINTECH: WE NEED YOU
Banks attending the Acquire or Be Acquired Conference in Phoenix, Arizona, discussed ways that technology companies could improve profitability and the customer experience.
2016 BANK DIRECTOR’S TECHNOLOGY SURVEY
As the banking industry struggles to innovate to meet shifting consumer expectations, 81 percent of bank chief information officers and chief technology officers responding to Bank Director’s 2016 Technology Survey say that their core processor is slow to respond to innovations in the marketplace.
For capital markets participants worldwide, Nasdaq operates as a pioneer in maintaining market resiliency and mobilizing the latest practical technologies to strengthen and optimize the business performance of our partners and, most importantly, our clients. Amidst a rapidly changing economic and political environment, the technological advances used in financial services during 2016 reached staggering new heights by year-end.
As a financial technology company, we are especially excited about what is in store for 2017. We believe the following technology trends will have a significant impact on the capital markets this year.
Machine Learning and Artificial Intelligence Machine learning and artificial intelligence will cross-cut almost everything that we do, and it will be applicable across the board—from helping customers to trade to market surveillance. We are bringing in nontraditional data sets including email and text messaging, sentiment and macroeconomics data, and we are mining log files from different systems for insights. The technology will be used to calculate and generate indices and exchange-traded funds. It will also be integrated into exchange matching engines (the system that matches buy and sell orders) so that it can make certain trade decisions.
Collaboration Tools Secure collaboration software and online portals will play an important part in how corporate directors and leadership teams work as compliance, board management and the need for a central document repository have become increasingly vital business propositions. These web and mobile app-based tools are typically designed with multiple security and functionality features to provide greater governance, engagement and transparency throughout an organization. As more companies begin to integrate collaboration software into their business workflows, the secure sharing of critical information will become more simplified.
Cloud Computing Cloud providers are taking security seriously, and we anticipate that the financial cloud will soon be more secure than most traditional on-ground data centers. That would potentially allow us to make sensitive information more broadly available than on traditional, centralized databases. Exchanges need to comply with rules and regulations on fair and equal access for clients, so moving front-office applications to the cloud necessitates some technology changes. Running middle-office and back-office applications in the cloud is more straightforward, but in 2017 we will continue work to address the remaining security concerns regarding data separation and customer access to data.
Data Analytics The ability to mine data, normalize it, update analytics in real time and present it in a consolidated view is a source of competitive advantage. We are now seeing a seismic shift across the industry with machine learning and artificial intelligence enabling users to eliminate bias in the analysis and discover new patterns in the data.
There will be a diverse set of use cases for data analytics within financial services, including its application in the investor relations function, where analytics can assist the IR team by aggregating specific investor data points, filtering institutional investors by the positions they hold in your company’s stock and identifying specific investment characteristics.
Mobile Technology Advancements in mobile technology have changed the way business professionals collaborate and access information. A new generation of cloud-based applications has simplified information sharing across device types. For example, we have combined mobile technology with other technologies—particularly cloud and blockchain—to enable remote proxy voting. To some extent, financial firms have been laggards in adopting mobile technology because of the security concerns, but addressing those will drive increased penetration.
Blockchain Blockchain technology could create important efficiencies in position-keeping and reconciliation. For cash-settled securities, it could accelerate the clearing and settlement time frame from three days to same-day, significantly reducing risk in the system. Collateral could be moved around quickly and easily. On the settlement side, blockchain could complement several services, including managing payments and cash, transferring securities, facilitating collateral and tri-party arrangements, and securities lending.
It is clear that financial services in 2017 will evolve rapidly as new technology is integrated into the marketplace. These technologies will change how financial institutions manage their infrastructure, interact with one another, and ultimately, how industry leaders scale and grow their businesses. We are excited to see how the year unfolds.
Are the boards of directors at U.S. banks taking the cybersecurity threat seriously enough?
In Bank Director’s 2017 Risk Practices Survey, 85 percent of the 167 respondents—a group that includes bank directors, CEOs, chief risk officers, and chief information and chief technology officers—identify cybersecurity as the risk category they are the most concerned about. And that heightened level of concern is evident across all sizes of institutions in the survey, from banks under $1 billion in assets to those greater than $10 billion.
After all of the high profile, highly successful and highly publicized cyberattacks that have occurred over the last several years, surely every bank director understands the serious nature of cyber risk today. Hackers are incredibly creative and persistent in their efforts to penetrate bank security systems and steal sensitive customer data, money—or both. A successful intrusion can be costly to the bank, damage its reputation with customers, and become an issue with regulators if they believe the bank has a weak cybersecurity program.
Twenty-six percent of the respondents say their bank has experienced a data breach or some other type of cyberattack since 2015, and another 4 percent were the victims of a breach prior to 2015. In other words, nearly one-third of the respondents have already experienced a breach—an incident rate that should get all directors’ attention regardless of whether their banks have been victmized or not.
So, what is being done about this? Over the past two years, the survey participants’ banks have made a number of improvements to their cybersecurity programs, including:
Eighty-two percent have invested in technology to better detect and deter cyber threats and intrusions.
Eighty-one percent have improved training for staff.
Eighty percent have increased their focus on cybersecurity at the board level.
Seventy-five percent have improved their internal controls related to cybersecurity.
Seventy-five percent have improved and tested their bank’s cyber-incident management and response plan.
But there is still more that can be done to protect against hackers. According to the survey, 38 percent of the respondents still don’t employ a full-time chief information security officer (CISO). As one might expect, this deficiency is most evident at banks under $1 billion is assets, even though they are still likely targets for a cyberattack. The benefit of having a CISO, rather than giving this responsibility to the chief risk officer or chief information officer, is that cybersecurity has become so specialized that it should be handled full-time by one individual with experience in the field. Fifty-one percent of the survey participants say their bank won’t be hiring a CISO in 2017, and 43 percent say they are unsure. Banks under $1 billion are already less likely to employ a CISO, and the survey data suggests that they’re unlikely to hire one this year.
Most surprising of all is that only 17 percent of the respondents say cybersecurity is discussed at every board meeting. Thirty-six percent say the board reviews the issue quarterly, 19 percent say they discuss it semi-annually and 10 percent talk about cybersecurity just once a year. If cybersecurity is truly the most pressing risk management issue facing bank boards today, then why isn’t it being discussed at every board meeting, at every bank?
If it’s the board’s responsibility to set the tone at the top when it comes to risk governance throughout the bank, then it would seem that a lot of boards are tone-deaf when it comes to cybersecurity.
Cybersecurity and compliance are the top two areas of concern for the bank executives and directors responding to Bank Director’s 2017 Risk Practices Survey, sponsored by FIS. What are the best practices that boards should implement to mitigate these risks? In this video, Sai Huda of FIS highlights the survey results and details how boards can stay proactive.
I talk to a lot of bankers, and lately I have detected a shift in bankers’ attitudes towards fintech. Just a few years ago, a discussion of fintech with community bankers would have inspired a certain amount of fear. It was widely believed at the time that fintech startups would disrupt and replace traditional banks. Millennials would turn to new marketplace lenders for their credit needs and use the new payment services from the likes of Apple for all their financial needs, leaving the banks with an aging clientele that would eventually die off. As time has passed, bankers and fintech companies alike have come to understand that is simply not going to happen. Going forward, fintech companies need banks just as much, if not more, than banks need them.
I recently saw a presentation titled The Impact of FinTech on Community Banks: Deal Breaker or Money Maker, by Ronald Shevlin, director of research at the consulting firm Cornerstone Advisors. He pointed out that while the number of marketplace lenders has grown rapidly, they still account for just 1 percent of the total loan market. And while they may have seen some growth, it appears they have not done so by keeping their customers happy. According to a U.S. Treasury Department report, marketplace lenders received a customer satisfaction rate of just 15 percent, compared to community banks whose satisfaction rate hit 75 percent.
Shevlin also pointed out that as millennials age, their attitudes towards money is changing. When you are 22 with a couple of thousand dollars in the bank and a couple of credit cards with $2,000 limits, it is easy to choose the flashy and fastest. When we start adding some zeros to their account balances, safety and security begin to matter more than the latest technology. Because of strict regulatory oversight and FDIC insurance, banks have an enormous edge when it comes to consumer comfort with the safety of their funds.
Bankers are starting to realize that they do not need to be innovators. As Shevlin pointed out in his presentation, it is easier to innovate when you don’t have a large installed customer base. Community banks can treat fintech firms like any other vendor. They need to recognize and deploy those innovative processes that survive the birthing process and add value to the bank. Bankers looking at a new technology offered today are asking: Does this adds value to the bank? Does it make me more efficient? Are are my customers demanding it? If the answers to these questions are no, then there is no need to add the technology to their existing offerings. Fintech companies are no longer scary competitors, but instead are another class of vendors that banks may or may not choose to do business with based on their needs.
Community bankers are worried about the brave new digital world. I go to several conferences during the year and I have noted more than a few cybersecurity vendors in the exhibit hall. I have also noticed that more insurance companies are in attendance offering cyber insurance. One insurance vendor told me that they were seeing several dozen claims related to ransomware alone every day. The CEO of a $300 million bank out west said that cybersecurity was the only issue that kept her up and night.
Jared Hamilton, senior manager of cybersecurity at the consulting firm Crowe Horwath, gave a talk recently on cybersecurity issues where he told the bankers that they needed to pay greater attention to this critical area going forward. There needs to be someone handling cybersecurity for the bank on a full-time basis and not just as part of the administrative or IT functions. He also suggested that the purchase of cybersecurity insurance was not optional. In today’s world, your bank must have this coverage. Judging by the furrowed brows and slumped shoulders I saw in the room at one conference recently, the costs of cybersecurity will become as big a concern for community banks as climbing regulatory costs have been over the past several years.
Significant regulatory changes continued to affect the banking industry in 2016. The industry generally has moved beyond implementing the requirements of the Dodd-Frank and Wall Street Reform and Consumer Protection Act, but regulatory expectations continue to rise, with increased emphasis on each institution’s ability to respond to and withstand adverse economic conditions. Regulatory supervision, often through oversight from multiple agencies, is becoming more focused on supporting compliance efforts with strong corporate cultures within the institution. Managing regulatory compliance risk for a financial institution has never been more complex.
Looking forward to 2017, regulators are expected to continue to ramp up expectations in several areas. Industry stakeholders undoubtedly will be watching closely as the new administration takes control of the White House. However, regulators are expected to continue to increase their emphasis on three areas: cybersecurity risk, consumer compliance and third-party risk management.
1. Cybersecurity Risk Cybersecurity is likely to remain a key supervisory focal point for regulators in 2017. Regulatory officials have stressed that cybersecurity vulnerabilities are not just a concern at larger financial institutions: small banks also are at risk. As such, financial institutions of all sizes need to improve their ability to more aptly identify, assess and mitigate risks in light of the increasing volume and sophistication of cyberthreats.
The Federal Financial Institutions Examination Council (FFIEC) agencies have established a comprehensive cybersecurity awareness website that serves as a central repository where financial services companies of all sizes can access valuable cybersecurity tools and resources. The website also houses an FFIEC cybersecurity self-assessment tool to help banks identify their risks and assess their cybersecurity preparedness. The voluntary assessment provides a repeatable and quantifiable process that measures a bank’s cybersecurity preparedness over time.
2. Consumer Compliance The Consumer Financial Protection Bureau (CFPB)—now a more mature entity—is having a dramatic impact on the supervisory processes around consumer financial products. While the CFPB conducts on-site consumer exams for financial institutions with more than $10 billion in assets, it also has begun to work with regulators in consumer supervisory efforts in smaller banks. The CFPB also has issued a significant number of new and revised consumer regulations that apply to institutions of all sizes. Some of the more onerous requirements center on mortgage lending and truth-in-lending integrated disclosures (TRID).
The CFPB also continues to cast a wide net when it comes to gathering consumer complaints about financial products and services through its consumer complaint database. The latest snapshot shows the database contains information on more than one million complaints about mortgages, student loans, deposit accounts and services, other consumer loans, and credit cards.
CFPB examiners often use complaints received through the database as a channel for reviewing practices and identifying possible violations. This continued pressure has forced financial institutions to ensure their compliance management systems are supported by effective policies, procedures and governance. But keep in mind, it’s even more important now to adequately aggregate, analyze and report customer-level data, so your institution can identify and remediate problems before the regulators come after you, and so you don’t get accused of “abusive” practices under the Dodd-Frank Act.
3. Third-Party Risk Management As a component of safety and soundness examinations, effective third-party risk management is regarded as an important indicator of a financial institution’s ability to manage its business. As a result, regulatory examinations consistently include an element of third-party risk management, and all of the federal bank regulators have issued some form of guidance related to third-party risk. The Federal Reserve’s (Fed’s) SR 13-19 applies to all financial services companies under Fed supervision. The Fed guidance focuses on outsourced activities that have a substantial impact on a bank’s financial condition or that are critical to ongoing operations for other reasons, such as sensitive customer information, new products or services, or activities that pose material compliance risk.
Guidance from the Office of the Comptroller of the Currency (OCC) on third-party risk (Bulletin 2013-29) generally is more comprehensive than the Fed guidance and requires rigorous oversight and management of third-party relationships that involve critical activities. The OCC bulletin specifically highlights third-party activities outside of traditional vendor relationships.
Outlook The critical areas discussed here are just a few for which banks need to expect more regulatory scrutiny in 2017. While there are early indicators that some elements of Dodd-Frank and other regulatory requirements could be pared back as the new administration takes control of the White House, the industry will need to closely monitor any changes and adjust compliance efforts accordingly.
Modern banking increasingly relies upon technology and the internet to manage and streamline business operations. With increased dependence on technology comes an increased risk of security threats. Kaspersky Lab reported it had detected 323,000 malware files per day using its software in 2016. This number is 4 percent higher than in 2015.
The impact of a successful cyberattack is often quite damaging: legal liabilities, brand reputation, lack of trust from customers and partners, and ultimately, revenue. The average cost of a data breach is now up to $4 million, according to a 2016 Ponemon study.
Banks are responsible for more data than ever and as data use continues to grow, banks face the challenge of properly creating strategies, frameworks and policies for keeping sensitive data secure. Meanwhile, criminals develop new and sophisticated tactics to target valuable data.
Security is, and should be, a concern for all employees. However, leadership must be responsible for establishing and maintaining a framework for information security governance. Information security governance is defined as a subset of enterprise governance that provides strategic direction, ensures objectives are achieved, and manages risks while monitoring the success or failure of the IT security program.
Whether it is the board of directors, executive management or a steering committee that is involved—or all of these—information security governance requires strategic planning and decision-making.
Best Practices Despite the threats of cyberattacks and data breaches, banks can take proactive steps to better position themselves for successful security governance. What follows are five strategic best practices for information security governance:
1. Take a holistic approach. Security strategy is about aligning and connecting with business and IT objectives. A holistic approach can provide leadership with more levels of control and visibility.
What data needs to be protected? Where are the risks? Take a unified view of how information security impacts your organization and how employees view security. Get early buy-in from key stakeholders, such as those in the IT, sales, marketing, operations and legal departments. Scope out what data needs to be protected and how that fits into the larger picture.
2. Increase awareness and training. Although developed by leadership, information security governance speaks to all employees within the organization and requires continued level of awareness. Governance creates policies and assigns accountabilities, but each member is responsible for following the security standards.
Constant training and education on security best practices is vital. The cyberthreat landscape is rapidly changing and employees, and company training, must keep up. This way, if new threats emerge, you will be prepared.
3. Monitor and measure. Information security governance should never have a “set it, then forget it” approach. It’s about ongoing assessment and measuring. Monitoring ensures that objectives are being achieved and resources are appropriately managed. What security governance policies are working? Which policies are not?
Conduct mock data breach scenarios to test the efficacy of corporate teams and company incident response plans. Test results can reveal strong and weak links—what the bank needs to concentrate on, and what security governance policies work well under pressure.
4. Foster open communication. Stakeholders should feel they can openly communicate directly with leadership, even when sharing bad news. Open communication promotes trust and brings a higher level of visibility throughout. Engagement is key. Consider creating a steering committee comprised of executive management and key team leads (IT, marketing, finance, PR, legal, operations, etc.) to review and assess current security risks.
5. Promote agility and adaptability. Gone are the days of monolithic, cumbersome governance; banks need to adapt quickly to meet the changing tide of security threats. IT management, which is typically concerned with making tactical decisions to mitigate security risks, might have some hands-on experience and opinions about the effectiveness of a particular security policy, but their recommendations can only go so far without C-suite support. Leadership must quickly determine how to implement suggested changes throughout the bank. And if a security governance policy is ineffective, leadership must be willing to jettison the policy.
Overall, successful information security governance involves a continuous process of learning, revising and adapting. Banks need to be proactive and strategic with their security posture. Threats and incidents are inevitable, but moving strategic security governance to the forefront of your organization can help protect valuable information.
Hackers have many avenues to choose from when it comes to attacking your organization, the most obvious of which is breaking in from the outside, or attacking your network’s perimeter. But they also can choose to attack from the inside-out by targeting your employees and internal weaknesses.
Cyber criminals use tactics like password attacks, session hijacking, exploiting application vulnerabilities and leveraging malware to gain unauthorized access to your network. Once inside, they steal, delete or distort confidential data, and often alter or disable security features to enable larger future attacks and avoid detection.
As revealed in Verizon’s 2016 Data Breach Investigations Report—a yearly study composed of findings from law enforcement agencies, forensic services firms and other entities—external threat perpetrators have been responsible for at least 75 percent of confirmed data breaches in each of the last six years.
To help protect your network, all employees—from the top down—should learn to spot the signs of a possible attack or breach, from suspicious emails and system modifications to unusual network glitches.
Here are some examples of the possible tools in an attacker’s arsenal:
Session hijacking: occurs when an attacker hijacks a network session shared by two systems by masquerading as one of them.
Password cracking: involves identifying the password of a user or administrator to gain system access.
Denial of Service (DoS) attacks: bombard a system, causing it to crash or deny access to legitimate users.
Web-application attacks: hackers exploit weaknesses and/or security flaws in a web application, possibly leading to the compromise of the host device or internal network.
Malware: includes ransomware that encrypts your files on the network drives and demands payment of a “ransom” to decrypt them; rootkits that embed themselves in your computer’s software, replacing legitimate software or hiding malicious ones; and remote access trojans (RATs), disguised as legitimate programs, but giving attackers an open door into your network.
Toughen Your Defenses with Vulnerability Assessments and Penetration Testing
Two crucial types of security testing offer financial institutions the best protection against these threats: vulnerability assessments and penetration testing. One is focused on finding as many vulnerabilities as possible, while the other can reveal the impact of an attack rather than theorizing about it, and also ensure that controls work as expected.
A vulnerability assessment is designed to yield a prioritized list of the environment’s vulnerabilities, and works best for institutions that already understand they are not where they should be in terms of security. However, recent guidance outlines the importance of regularly performing vulnerability assessments on your network. The scope, in industry terms, is breadth over depth.
This type of assessment, which helps ensure compliance with Gramm-Leach-Bliley Act data guidelines, can be performed using a remote scanning device—configured by a certified provider—that is plugged into an organization’s network. The device scans the entire network, including hardware and software, and performs internal vulnerability, patch management and port-scanning functions.
The provider can then analyze the data and prepare a detailed report with recommendations for securing your network.
By contrast, a penetration test’s ethical hackers seek to achieve a specific, attacker-simulated goal. A typical goal could be to gain access to the internal network and compromise a privileged account, or obtain the contents of the customer database. The test determines whether a mature security posture can withstand an intrusion attempt from a hacker. Here, the scope is depth over breadth.
A thorough penetration test consists of these elements:
Reconnaissance: Entails learning about the target using little or no interaction with their systems. This compares to a burglar watching a neighborhood to determine the patterns of its residents as well as their types of possessions and whether they have security systems. Reconnaissance includes Internet searches, website reviews, IP block information and domain name system (DNS) interrogation.
Scanning: The first major contact with the target’s systems, which involves looking for potential openings. This is likened to a burglar rattling doorknobs and checking for unlocked windows. Scanning includes network mapping, port scanning, operating system (OS) fingerprinting, service detection and vulnerability scanning.
Gaining Access: This is where the hacker comes in, with an attempt to compromise the system. This step is similar to the burglar breaking into the home using the most vulnerable door or window. Gaining access features password and web application attacks and the exploitation of vulnerable software and configuration flaws.
Maintaining Access and Covering Your Tracks: Performed only upon successful penetration into the institution’s network. It should be noted that many organizations forego these steps because they involve manipulating systems, applications and files.
It is crucial for your financial institution to maintain cyber-resilient networks and systems. The costs of disrupted business, reduced customer confidence, fines and lower profitability resulting from an attack are simply too great.
Anyone following the news knows that cybersecurity is a hot topic across all industries. This is especially true for the financial services industry. With hacks and online fraud on the rise, banks are doing everything they can to reassure customers that their digital information is safe and secure.
And in 2016, this means thinking beyond traditional security measures like a simple username and password combination or a personal identification number (PIN). Digital authentication technologies have evolved beyond passwords, and now include biometric data, like a fingerprint or voice identification, and digital identify authentication, which could combine a user’s device and location, for example.
Banks are increasingly adopting emerging technologies to minimize the opportunities hackers have to conduct illegal activities. Here are three areas that illustrate how banks are stepping up their fraud prevention game through the use of digital authentication technologies.
Federated Digital Identity
One of the biggest friction points for both security teams and users is having multiple identities and logins for different systems. That’s why forward-thinking institutions are exploring the move to a single, federated digital ID that users can authenticate themselves with across different institutions and product lines.
Giving users a single ID provides greater security. Login information isn’t being passed around among multiple systems, so hackers have fewer access points to exploit. Banks are also being forced to comply with increasing cybersecurity regulation as the federal government tries to combat illegal activities like money laundering. Having a single ID would allow financial institutions to quickly access that user’s unique digital token, thereby eliminating unnecessary fraud investigations.
An early sign of this model is USAA’s partnership with the federal government. The goal of the partnership is to allow USAA’s members to access their banking and government accounts with a single username and password. This will serve not only to make things more convenient for the user, but to allow both the U.S. government and USAA to focus their security efforts on protecting just a single digital identity. (USAA’s customer base is restricted to active and former U.S. military members and their families.)
While centralizing IDs and logins makes sense on the front end, banks are looking at the blockchain and distributed networks to provide additional security on the back end. The blockchain acts as a digital public ledger, and the technology was originally designed for bitcoin transactions. Because information on the blockchain isn’t stored on a single computer or server, it removes the risk of a central point of security failure.
Since blockchain technology authenticates users based on a device-specific token, hackers can’t just steal user data from a central server for the purpose of fraudulent usage. The blockchain also facilitates true peer-to-peer transactions, eliminating the need for middlemen who verify ACH transfers, for example. This eliminates yet another potential access point for hackers.
That’s why payment technology companies like Dwolla are turning to blockchain to enhance security. They partnered with BBVA earlier this year to create a real-time payments platform on the blockchain. The idea is to still provide the convenience of digital payments, but facilitated by the Blockchain to provide an additional layer of security.
The next big wave in preventing online fraud for banks might just be biometric authentication technologies. In fact, USAA is in the process of rolling out user authentication with software that recognizes the facial contours of users before allowing them to log in. Since things like fingerprints and facial features are nearly impossible to duplicate by hackers, biometrics could provide even more security than device-specific tokens.
In addition to providing secure access, biometrics take away the need to use other sensitive data for authentication purposes. Things like phone numbers, emails and Social Security numbers wouldn’t have to pass back and forth during the login process, thus decreasing their vulnerability of being hacked.
Banks are forced to walk a finer line than ever, balancing convenience with security and fraud prevention. Technologies like the federated ID, blockchain and biometrics are being recognized by financial institutions as the next wave in fraud prevention. If banks are able to steadily phase these in and fortify potential security gaps along the way, they’ll be able to more effectively keep the bad guys out while keeping the customer experience smooth and seamless.
How effective is your bank’s approach to information security, including cybersecurity? On September 9, the Federal Financial Institutions Examination Council (FFIEC) published new information security examination procedures. It is critical that boards and management teams quickly get up to speed on the new exam procedures so there are no surprises in the bank’s next exam that adversely impact earnings, capital or value creation.
The new exam procedures focus on assessing the quality and effectiveness of the bank’s information security program, including its culture, governance, security operations, with emphasis on cybersecurity, and assurance processes, such as self-assessments, penetration tests, vulnerability assessments and independent audits. The procedures contain eleven objectives for the examiners to attain.
The objective relating to security operations and cybersecurity is especially noteworthy, as it contains enhanced expectations. Both in the preamble and in the specific exam procedures, there is recognition that it is not a question of if, but when an attacker will break into the network, so banks need to enhance threat identification, monitoring, detection and response. Examiners will evaluate whether the bank has monitoring in place to identify malicious activity, a process to identify possible compromises in the bank’s systems, and whether it uses tools that reveal and trace an attacker’s actions, such as attack or event trees, to size up exposures and respond effectively.
While speaking on cybersecurity on the main stage at Bank Director’s 2016 Bank Audit and Risk Committees Conference in June, I electronically polled the bank directors and senior executives in attendance. The results from the 206 respondents indicate a need for banks to beef up cybersecurity to meet these enhanced regulatory expectations. While cybersecurity is a top concern for bank boards, seventy-seven percent indicated that they do not review cybersecurity at every board meeting. Fifty-nine percent of attendees said that detecting anomalous activity or threats from malicious insiders are the cybersecurity risks for which their bank is least prepared.
Source: 206 respondents, Bank Director Audit and Risk Committees Conference June 2016
When I asked how many had implemented ongoing reviews of the network visibility map for risk oversight, only 31 percent had done so. This map visually shows all assets inside the network and helps identify threats. Without this visual map, the bank will be managing its cyber risks in the blind.
What the Board Should Do Here are five steps that boards should take to remain proactive regarding information security.
Review cybersecurity at every board meeting. Cybersecurity must be handled as a strategic boardroom issue, not as a back-office IT issue.
Use the new information security exam procedures to perform a self-assessment. Identify and eliminate any deficiencies well in advance of the next exam.
Review the network visibility map at every board meeting to visually identify all assets and the risk mitigation in place to protect them.
Task a “hunt” team to identify anomalies within the bank’s network, as described in the new exam procedures. On average, attackers roam inside the network undetected for more than 200 days. Eliminate the exposure using advanced analytics that can mine through millions of records and reveal the attacker and the entire exposure. Response must be prompt.
Conduct ongoing but randomly scheduled social engineering and phishing simulation training to keep employee awareness heightened. Education can prevent employees from falling victim to real attacks and becoming the weakest link in the chain.
In March, the Consumer Financial Protection Bureau fined an online payment processor for engaging in unfair, deceptive or abusive acts and practices (UDAAP), due to its failure to implement an adequate information security program and protect consumer data. Other regulators have taken notice, and will not hesitate to assess enforcement actions for information or cybersecurity deficiencies using UDAAP or other enforcement tools available against banks and its technology providers. Information or cybersecurity lapses can cause irreparable harm to the bank, and tarnish its reputation instantly. The stakes are very high. Banks must stay one step ahead.