Emerging Technologies Combat Cybercrime

Written by


Emerging-Technology-e1474579010897.jpg

Anyone following the news knows that cybersecurity is a hot topic across all industries. This is especially true for the financial services industry. With hacks and online fraud on the rise, banks are doing everything they can to reassure customers that their digital information is safe and secure.

And in 2016, this means thinking beyond traditional security measures like a simple username and password combination or a personal identification number (PIN). Digital authentication technologies have evolved beyond passwords, and now include biometric data, like a fingerprint or voice identification, and digital identify authentication, which could combine a user’s device and location, for example.

Banks are increasingly adopting emerging technologies to minimize the opportunities hackers have to conduct illegal activities. Here are three areas that illustrate how banks are stepping up their fraud prevention game through the use of digital authentication technologies.

Federated Digital Identity
One of the biggest friction points for both security teams and users is having multiple identities and logins for different systems. That’s why forward-thinking institutions are exploring the move to a single, federated digital ID that users can authenticate themselves with across different institutions and product lines.

Giving users a single ID provides greater security. Login information isn’t being passed around among multiple systems, so hackers have fewer access points to exploit. Banks are also being forced to comply with increasing cybersecurity regulation as the federal government tries to combat illegal activities like money laundering. Having a single ID would allow financial institutions to quickly access that user’s unique digital token, thereby eliminating unnecessary fraud investigations.

An early sign of this model is USAA’s partnership with the federal government. The goal of the partnership is to allow USAA’s members to access their banking and government accounts with a single username and password. This will serve not only to make things more convenient for the user, but to allow both the U.S. government and USAA to focus their security efforts on protecting just a single digital identity. (USAA’s customer base is restricted to active and former U.S. military members and their families.)

Blockchain Technology
While centralizing IDs and logins makes sense on the front end, banks are looking at the blockchain and distributed networks to provide additional security on the back end. The blockchain acts as a digital public ledger, and the technology was originally designed for bitcoin transactions. Because information on the blockchain isn’t stored on a single computer or server, it removes the risk of a central point of security failure.

Since blockchain technology authenticates users based on a device-specific token, hackers can’t just steal user data from a central server for the purpose of fraudulent usage. The blockchain also facilitates true peer-to-peer transactions, eliminating the need for middlemen who verify ACH transfers, for example. This eliminates yet another potential access point for hackers.

That’s why payment technology companies like Dwolla are turning to blockchain to enhance security. They partnered with BBVA earlier this year to create a real-time payments platform on the blockchain. The idea is to still provide the convenience of digital payments, but facilitated by the Blockchain to provide an additional layer of security.

Biometric Authentication
The next big wave in preventing online fraud for banks might just be biometric authentication technologies. In fact, USAA is in the process of rolling out user authentication with software that recognizes the facial contours of users before allowing them to log in. Since things like fingerprints and facial features are nearly impossible to duplicate by hackers, biometrics could provide even more security than device-specific tokens.

In addition to providing secure access, biometrics take away the need to use other sensitive data for authentication purposes. Things like phone numbers, emails and Social Security numbers wouldn’t have to pass back and forth during the login process, thus decreasing their vulnerability of being hacked.

Banks are forced to walk a finer line than ever, balancing convenience with security and fraud prevention. Technologies like the federated ID, blockchain and biometrics are being recognized by financial institutions as the next wave in fraud prevention. If banks are able to steadily phase these in and fortify potential security gaps along the way, they’ll be able to more effectively keep the bad guys out while keeping the customer experience smooth and seamless.

The New FFIEC Information Security Examination Procedures: What Boards Should Be Doing Now

Written by


FFIEC-9-14--16.pngHow effective is your bank’s approach to information security, including cybersecurity? On September 9, the Federal Financial Institutions Examination Council (FFIEC) published new information security examination procedures. It is critical that boards and management teams quickly get up to speed on the new exam procedures so there are no surprises in the bank’s next exam that adversely impact earnings, capital or value creation.

The new exam procedures focus on assessing the quality and effectiveness of the bank’s information security program, including its culture, governance, security operations, with emphasis on cybersecurity, and assurance processes, such as self-assessments, penetration tests, vulnerability assessments and independent audits. The procedures contain eleven objectives for the examiners to attain.

The objective relating to security operations and cybersecurity is especially noteworthy, as it contains enhanced expectations. Both in the preamble and in the specific exam procedures, there is recognition that it is not a question of if, but when an attacker will break into the network, so banks need to enhance threat identification, monitoring, detection and response. Examiners will evaluate whether the bank has monitoring in place to identify malicious activity, a process to identify possible compromises in the bank’s systems, and whether it uses tools that reveal and trace an attacker’s actions, such as attack or event trees, to size up exposures and respond effectively.

While speaking on cybersecurity on the main stage at Bank Director’s 2016 Bank Audit and Risk Committees Conference in June, I electronically polled the bank directors and senior executives in attendance. The results from the 206 respondents indicate a need for banks to beef up cybersecurity to meet these enhanced regulatory expectations. While cybersecurity is a top concern for bank boards, seventy-seven percent indicated that they do not review cybersecurity at every board meeting. Fifty-nine percent of attendees said that detecting anomalous activity or threats from malicious insiders are the cybersecurity risks for which their bank is least prepared.

FFIEC.PNG
Source: 206 respondents, Bank Director Audit and Risk Committees Conference June 2016

When I asked how many had implemented ongoing reviews of the network visibility map for risk oversight, only 31 percent had done so. This map visually shows all assets inside the network and helps identify threats. Without this visual map, the bank will be managing its cyber risks in the blind.

What the Board Should Do
Here are five steps that boards should take to remain proactive regarding information security.

  1. Review cybersecurity at every board meeting. Cybersecurity must be handled as a strategic boardroom issue, not as a back-office IT issue.
  2. Use the new information security exam procedures to perform a self-assessment. Identify and eliminate any deficiencies well in advance of the next exam.
  3. Review the network visibility map at every board meeting to visually identify all assets and the risk mitigation in place to protect them.
  4. Task a “hunt” team to identify anomalies within the bank’s network, as described in the new exam procedures. On average, attackers roam inside the network undetected for more than 200 days. Eliminate the exposure using advanced analytics that can mine through millions of records and reveal the attacker and the entire exposure. Response must be prompt.
  5. Conduct ongoing but randomly scheduled social engineering and phishing simulation training to keep employee awareness heightened. Education can prevent employees from falling victim to real attacks and becoming the weakest link in the chain.

In March, the Consumer Financial Protection Bureau fined an online payment processor for engaging in unfair, deceptive or abusive acts and practices (UDAAP), due to its failure to implement an adequate information security program and protect consumer data. Other regulators have taken notice, and will not hesitate to assess enforcement actions for information or cybersecurity deficiencies using UDAAP or other enforcement tools available against banks and its technology providers. Information or cybersecurity lapses can cause irreparable harm to the bank, and tarnish its reputation instantly. The stakes are very high. Banks must stay one step ahead.

Embracing Disruption: Why Banks and Fintechs Should Work Together in a Regulated Environment

Written by


disruption.png

At first glance, financial technology companies and banks are competitors with similar products but different business models. Fintech companies need fast growth to survive. They must exercise quick marketing strategies and adaptive technologies. And they excel at reaching customers in new ways and providing more personalized customer service. Banks, on the other hand, rely on well-established customer networks, deep pockets and industry experience for their success. However, if they want to preserve their customer base and continue to grow, banks will have to adapt to what’s happening in the financial technology space.

Fintech companies and banks both face many unique challenges. Fintech companies must often decide how to allocate limited resources between marketing, intellectual property, compliance and cybersecurity concerns. Banks depend on legacy technology, lack market speed and must continue to keep pace with new banking regulations and technologies. Although both fintech companies and banks face significant legal barriers, they have different needs and strengths. Fintech companies need the deep regulatory experience that banks have developed over many decades. Banks need flexibility to adapt new technologies to changes in the compliance landscape. These differing but not incompatible needs present an opportune cross point for partnership.

The following laws and regulations exemplify a small portion of the regulatory challenges and business relationship opportunities for fintech companies and banks. Please be aware that all financial products—especially new financial technology products with uncharted regulatory profiles–may implicate many other laws not discussed below.

  • Money transmission laws: In order for a fintech company to transfer money between two individuals, it must be licensed under federal and state money transmission laws. State money transmitter laws vary greatly and this creates a considerable barrier to entering the market on a national scale. Banks are generally exempt from state money transmitter laws. Fintech companies can meet money transmitter compliance requirements by strategically structuring the flow of money with banks. Alternatively, fintech companies can act as an authorized agent of a licensed money transmitter service provider.
  • Lending and brokerage laws: State law may require a lender, buyer, servicer or loan broker to be licensed to engage in its respective activity. A fintech company may face severe consequences for unlicensed lending or brokerage practices. Banks in many cases are able to engage in these types of activities. Fintech companies and banks can structure a business relationship to ensure that appropriate legal precautions are in place. Even if a fintech company is licensed, it does not have the ability to use and apply the interest rates of its home state, a power that is afforded to national banks. Fintech companies may be stuck with interest rate limitations set by the state where the borrower lives. Thus, a strategically structured relationship between a bank and fintech company may provide other non-compliance advantages for lending and brokerage products.
  • UDAP/UDAAP laws: Unfair, deceptive or abusive acts or practices affecting commerce are prohibited by law. Both fintech companies and banks face exposure to penalties for engaging in unfair, deceptive or abusive acts. Taking advantage of fintech companies’ adaptive technologies may help banks minimize the risk of committing the prohibited practices. For example, fintech companies may help banks design software that utilizes pop up warnings on a customer’s phones before the customer makes an overdraft.
  • Financial data law: Financial data is a growing industry that has seen increasing regulatory oversight. Both fintech companies and banks collect enormous amounts of data and may use it for various legal purposes. Data is the core part of the fintech business; fintech companies collect data and rely on data. However, fintech startups do not have the legal and technical resources of traditional banks to resolve a variety of regulatory and cybersecurity concerns related to the use of data. Fintech companies can partner with banks, particularly with respect to cybersecurity issues. A bank offering products through or with a third party is responsible for assessing the cybersecurity risk related to that third party and mitigating it, and thus parties should consider some important questions upfront, including where the data is located, who owns it and how it is protected.

Despite the many issues and concerns that may arise from the partnership between fintech companies and banks, cooperation colors the future. Fintech companies can take advantage of the industry knowledge that bankers possess, certain regulatory advantages that banks enjoy and the industry’s cybersecurity infrastructure. Banks can take advantage of fintech companies’ ability to create new products, certain regulatory advantages and adaptability to regulations. With an understanding of the legal and regulatory framework of fintech companies and banks, their different business models can be used as an opportunity rather than a barrier to business.

Aggressive Action Needed to Secure Banking’s Digital Future

Written by


cybersecurity.png

As a community bank stock investor one of my biggest tasks is to read. To stay on top of what is going on in the industry I read all the pertinent releases from the FDIC, the Fed and the OCC. I also read a few bank hundred earnings reports every quarter as well as the transcripts of the company conference calls if they are available. Over the years it became obvious that I needed to stay informed of developments concerning the major lending markets so I added reports from homebuilders, real estate developers and REITs to the mix. When it became clear that fintech was going to change the industry in a meaningful way, I added the reports of public fintech companies to the mix as well.

In reading the fintech reports one thing became very obvious to me. The key to fintech’s future is going to be cybersecurity. None of the innovation and productivity improvements offered by the new technology for banking means anything if the data and funds can easily be hacked, manipulated or stolen. So I have added cybersecurity companies to my reading list and that’s what led me to the transcript of a quarterly call with the CEO of Vasco Data Security Systems.

Vasco is a leader in providing two-factor authentication and digital signature solutions to financial institutions. It does business with many of the world’s largest financial institutions and has more than 10,000 customers around the globe. Founder and CEO Ken Hunt has been involved in the cybersecurity industry since the 1990s and has seen its growth explode as cyber crime became the next big thing in criminal activity. On his most recent conference call he discussed the current trends in cybersecurity with a special emphasis on the banking industry.

The growing use of EMV cards has made it more difficult to steal data and funds during the payment process. While Hunt sees this as a major step forward in protecting the customer’s money, it has not deterred the cyber thieves but merely pushed them in new directions such as mobile and online banking as venues for stealing data and funds.

Hunt pointed out that according to a recent report from consulting firm KPMG nearly three out of four consumers–and almost 90 percent of millennials–use mobile banking. While it is the wave of the future, unfortunately it is also one of the most vulnerable points in the banking process. Staying out in front of potential cyber threats to their mobile banking systems will be critical for banks going forward as the same study points out that most consumers would switch banks if their current institution was hacked and it did not take immediate steps to fix the situation and reimburse their losses. Banks have to offer mobile platforms for competitive and customer preference reasons, but they will also have to spend money to keep the platform secure from what will be relentless hacking efforts by the bad guys.

According to Hunt, biometric identification is going to be a big part of the mobile security solution. We are already seeing some banks and credit card processors use fingerprints and what MasterCard is calling “selfie” identification to control access to mobile banking and payment systems. He cited a study recently released by Acuity Market Intelligence that estimates that by the end of 2018 all smartphones shipped will contain a biometric identification system. Banks that want to stay in the forefront of mobile banking will need to consider adopting such a system if they want to retain a security conscious customer base.

While mobile is a cyber security hot spot, Hunt also referenced what he called the “enduring nature” of hardware-based security. Cyber attacks against banks are not going to go away, but will become more aggressive and sophisticated over time. Hardware-based security programs will need to be constantly updated. Traditional bank robberies have declined in number in recent years. Typically, they are the work of not very bright criminals, and an estimated 98 percent of them are captured and spend a significant portion of their lives as guests of Uncle Sam. Cyber criminals tend to be smarter and have the luxury of being able to attack from remote locations. They will be much harder to catch and their tactics will evolve as protection systems grow stronger, so it is likely that hacking attempts directed at banks will continue to grow a rapid pace.

Fintech is changing banking and it is happening very quickly, particularly in the mobile space. Reading Hunts discussion with investors and analysts reveals that banks that want to survive and thrive will need to take aggressive action to protect customer data and funds as we move into an increasingly digital and mobile world of banking.

Raising the Bar: Top Challenges Facing Bank Boards

Written by


Regulators are expecting more and more from bank management teams and boards. In this video, Lynn McKenzie, a partner at KPMG, offers solutions to help address the top challenges facing the industry.

  • Legal and Regulatory Compliance
  • Cybersecurity
  • Financial and Regulatory Reporting
  • Vendor Risk Management

Taking on the Toughest Challenges

Written by


As bank leaders explore different avenues for growth, they must also weigh the risks that could threaten their institution. In this panel discussion from Bank Director’s 2016 Bank Audit & Risk Committees Conference, led by President & CEO Al Dominick, Dale Gibbons of Western Alliance Bancorp., Lynn McKenzie of KPMG and Bill Fay of Barack Ferrazzano Kirschbaum & Nagelberg focus on the key issues that bank boards and executive teams need to address, from third-party vendor risk to strategic growth.

Highlights from this video:

  • Top Issues for Audit & Risk Committees
  • Aligning Growth Strategy & Risk
  • Evaluating Partnership Opportunities
  • Addressing Technology & Cybersecurity as a Board

Four Best Practices to Help Bank Boards Manage New Cybersecurity Guidance

Written by


cybersecurity-6-6-16.pngUpdates to the FFIEC Management Booklet portion of the IT Examination Handbook in late 2015 have placed your board of directors under more pressure than ever to ensure the health and stability of your institution’s overall IT and cybersecurity environment.

While the board has always held ultimate responsibility for institutional governance, the revised handbook places extra demands on their level of knowledge and involvement, particularly in the areas of cybersecurity, examination procedures and IT management.

It’s perhaps the IT management portion and its two major changes that will prove most taxing to board members. First, the description of the IT management structure is more granular, with the addition of two new parties: executive management and a chief information security officer. Specifically, executive management is expected “to understand at a high level the IT risks faced by the institution and ensure those risks are included in the institution’s risk assessments. In the event that executive management is unable to implement an objective or agree on a course of action, executive management should escalate that matter to the board for more guidance.” The chief information security officer’s duties are spelled out in depth, and the guidance requires that person to report directly to the board, a committee of the board, or senior management—but not to someone in IT. The board is responsible for implementing this new governance structure.

Secondly—and of more concern—the updated guidance requires board members to provide “credible challenges” to bank management before approving IT or security decisions. This means they must maintain enough understanding of IT and cybersecurity matters to ascertain how these decisions might pose risks to the institution and whether they align with its overall strategy. And if they don’t understand something, they must be able to ask thoughtful, intelligent questions until they do.

Now, as most of us know, it isn’t uncommon for board members to “rubber stamp” IT management decisions, sending approvals through with a modest amount of consideration. So, given their accountability for understanding these matters before signing off on them, how can you help your board succeed?

It helps to view this challenge as a two-way street: the board provides oversight and governance, and the bank’s management and subject matter experts (SMEs) share their knowledge and information with board members to help them carry it out. There are four best practices to accomplish this task:

  1. Request that bank management, as well as the IT and security departments, begin passing relevant information to the board. Specifically, this includes monthly or quarterly summaries of incident reports that can apprise the board of any major incidents involving downtime, deployment of business continuity plans or anything else that could affect business decisions.
  2. Have your bank’s IT and security SMEs—or possibly an outside firm—provide the board with continuous updates on regulators’ expectations surrounding cyber risk management and oversight, as well as which high-level risks are circulating in the current environment. The experts also can consult with board members about why this knowledge is important, and how they can incorporate it into their strategic decisions.
  3. Encourage the board members to actively educate themselves by doing their own reading and research. To that end, ask one or two members to sit in on IT or security steering committees, then take the information they learn back to the rest of the board. This gives them access at the ground level.
  4. Invite the board to get involved with the Financial Services Information Sharing and Analysis Center (FS-ISAC), which shares the latest threat intelligence and attack methods, and encourages its financial industry members to do the same. If your institution has a membership—and it should—board members can access those resources and take part in the center’s bi-weekly conference calls.

Again, board members don’t have to become overnight SMEs. But they need to be involved, engaged and ready to ask some tough questions to ensure IT and security strategies are aligned with board expectations and the risk appetite they’ve set. If not, they shouldn’t be voting to approve IT plans.

After all, when it comes to IT, you can have all the best technology in the world, but if it’s unreliable or exposes your bank to too much risk, what good is it? It’s within the best interest of your institution and its board of directors to carefully apply the updated FFIEC guidance to all IT and security decisions.

Three Critical Challenges for Bank Audit Committees

Written by


audit-committee-5-17.pngAs the effects of the banking crisis continue to recede, regulatory agencies have shifted their focus. As asset quality concerns gradually diminish, regulators are scrutinizing corporate governance and risk management issues more closely.

In this environment, audit committees are being challenged to meet a higher standard regarding their understanding of their organization’s risk profile and often must adapt their approach to reflect changing business priorities. Three areas of concern merit special attention as they present audit committees with significant challenges.

Challenge 1: Cybersecurity Risk
Cybersecurity is a paramount issue in financial institutions today, ranking as the number one concern of bank executives and board members in the annual Bank Director Risk Practices Survey for two years running. In the 2016 survey, 77 percent of the respondents said cybersecurity was their top concern, and more than half said preparing for cyber attacks is one of their biggest risk management challenges.

Those numbers are not surprising because banks are a natural target for hackers. But the challenge of managing cybersecurity risk is complicated by banks’ natural reluctance to publicize breaches due to their legitimate fear of alerting other hackers to their vulnerabilities. Unfortunately, this justifiable secrecy makes it more difficult for other banks to learn from their peers’ experiences and hinders banks’ ability to recognize comparable weaknesses in their own systems and third-party relationships.

Another complicating factor is the makeup of the audit committee itself. Committee members very rarely have professional IT backgrounds, so they must rely on qualified third parties to provide insights into risks and mitigation strategies.

Recent regulatory guidance can help overcome this challenge to some extent. Audit committee members should be thoroughly familiar with the Federal Financial Institutions Examination Council’s two-part Cybersecurity Assessment Tool, which was issued in 2015 to help institutions identify their risk exposure and determine if their risk management programs are appropriately aligned. The audit committee should make sure management completes this assessment and integrates its principles into the overall risk management effort.

In addition, the Office of the Comptroller of the Currency (OCC) regularly issues joint statements with other bank regulatory bodies on specific cybersecurity concerns such as new malware developments, extortion attempts, and other current trends. Committee members should stay abreast of the most recent OCC statements on the agency’s website and confirm that management is following the specific preventive steps listed in those statements.

Challenge 2: Reallocating Audit Resources
In the current industry environment of shrinking margins and growing cost pressures, audit committees often must address increasing regulatory compliance demands and growing cybersecurity risk while struggling with resource constraints. Fortunately, there often are unrecognized opportunities to control risk management costs by reallocating resources to reflect changing business models.

For example, as customer habits and access methods change, some financial institutions are reassessing whether it is cost-effective to continue applying the same level of risk mitigation activity at the branch level. Steps such as lengthening the intervals between traditional branch audits and reassigning certain risk control responsibilities to operational managers make it possible to reallocate some internal audit resources to new, more pressing areas of risk. Audit committee members should be alert to such opportunities to reassess and fine-tune the audit approach to reflect today’s business reality.

Challenge 3: Adapting to New Strategies
Shrinking margins also are leading banks to look for opportunities to diversify their revenue strategies. But every new revenue stream requires new operational and support functions and opens up new categories of risk that must be assessed, controlled, and managed. One of the important responsibilities of the audit committee is to actively assess how a new business line will affect the institution’s risk parameters and to determine how those parameters can be addressed effectively and efficiently.

New revenue streams and changing business strategies are nothing new, of course. Historically, bank directors always have been challenged to adapt to shifts in economic and business priorities. In today’s environment, however, with greater regulatory emphasis on the management of risk, the challenges to audit committees are intensified. An effective response to these challenges can have a direct, significant and positive effect on an institution’s long-term success.

Technology’s Old Guard Focuses on Cybersecurity

Written by


cybersecurity.png

In the good old days, robbing a bank took some logistical planning. You needed enough gun-wielding associates to cover the lobby while the heist went down, and of course you needed a getaway car and a place to lay low. Today, all you need to rob a bank is a cheap laptop, some hacking skills and a high speed wireless connection. Talk to bankers and they’ll tell you that cybersecurity is their top concern. The reputational risk of a successful attack, let alone the potential financial exposure, is devastating.

Famed bank robber Willie Sutton once said he kept robbing banks because that’s where the money was. Of course, cyber thieves now steal identities and credit information instead of greenbacks, and their dogged persistence has turned cybersecurity into a growth industry. According to a recent report published by Homeland Security Research Corp., “Banking and Financial Services Cybersecurity: U.S. Market 2015-2020,” the financial services industry is the largest nongovernment cybersecurity market in the country. The industry is projected to spend $75 billion between 2016 and 2020 on cybersecurity measures.

Technology companies are well aware of the size and potential of the financial institutions marketplace for cybersecurity products and are rushing to develop products to meet the need. I doubt that many of the smaller ones will make much headway in financial services without partnering with a major tech firm. The career risk for a bank chief technology officer who hires Garage Genius Cyber Security is too great. Hiring a new young, innovative company gets you fired if an attack is successful. Hiring an old established well known company not only helps protect the bank from attack, it helps protect the CTO’s job if something goes wrong.

The older, more established companies are aware they have to keep up and are partnering with or acquiring new startups with promising cybersecurity products and services. This should allow them to offer cutting edge services to the financial community and still offer the peace of mind of a well-established and deep pocketed technology provider.

Already very active in the bank cybersecurity market, IBM has been buying up smaller cybersecurity companies and I expect that to continue as the company moves to counter new and developing threats. Vasco Data Security International–a world leader in two-factor authentication and transaction signing for financial institutions with more than half the world’s top 100 banks on their client roster — last year completed its acquisition of Silanis Technology Inc., a leading provider of electronic signature and digital transaction solutions that had a strong presence in the financial institutions marketplace.

Unisys’ new Stealth cybersecurity products can be used to protect your core data as well as mobile and cloud based platforms. And Cisco will continue to build its presence in the financial services cybersecurity market via acquisition. The company started down this path in 2013 by buying Sourcefire and have since added ThreatGRID, OpenDNS, and Lancope, and I expect it to make additional acquisitions as well.

Given their elevated concern about cybersecurity, most financial institutions are going to be reluctant to use smaller, younger companies—which means the established technology leaders should see the bulk of the money. And they, in turn, will have to be aggressive about buying and developing new technology to remain in front of the increasingly innovative and aggressive attacks that criminals will employ.

How Banks Can Increase Cybersecurity Risk Management

Written by


cybersecurity-5-6-16.pngIn mid-2015, executives at a bank in Russia awoke one morning to discover that the institution had lost millions of rubles overnight through a series of unauthorized withdrawals made through the automated teller machines of other banks. Earlier in the year, the Russian ruble experienced a volatile 14-minute long swing in the exchange rate that resulted in one financial institution’s reported loss of $3.2 million due to trades. Another well-coordinated attack in 2013 resulted in a loss of $45 million taken from ATM locations around the world when hackers eliminated the cash-withdrawal limits for 12 debit card accounts.

Such attacks are not limited to Russian banks; hackers and other cyber criminals are threatening the security of financial institutions around the world. The rise in cyber threats puts a spotlight on the vulnerability of the IT systems at many financial institutions—and intensifies the need to implement more robust security procedures to protect institutional assets.

A comprehensive assessment of an institution’s cybersecurity environment would have gone a long way towards establishing appropriate technology governance and protecting the assets of those Russian banks.

Targeting the Weakest Link
The most common and effective form of cyberattack is social engineering—that is, contacting personnel by email or phone and duping them into disclosing confidential information that can subsequently be used to gain access to systems and data. Alternatively, emails can be opened by employees who unwittingly release customized and often quite sophisticated malware (the software used by hackers to infiltrate IT systems).

Financial institutions are clearly not immune to such attacks and the opportunities and attempts for unauthorized access have increased. Yet some security mechanisms such as firewalls are no longer enough to protect an institution from modern threats. Although in some cases they thwart cyberattacks, outdated banking processes and systems are commonly the weak link exploited in these scenarios.

Implement a Risk-Based Approach
Most banks would claim they have a rich risk-assessment process, and to an extent, this may be true. But the focus is often primarily on business risk, not cybersecurity, and therein lies the issue. As a result, areas of weakness such as interconnection to ATMs may be overlooked. In addition, most banks have limited personnel and security resources dedicated to IT so, despite being attacked virtually every day, they cannot react to all alerts. Moreover, a bank’s internal enterprise risk management group may not be familiar with current risks or trained to respond to advanced threats.

IT investments will be based in part on whether or not the institution has been compromised historically; if management thinks a breach won’t happen, they probably won’t invest heavily in cybersecurity. Larger banks may have the resources to absorb the costs caused by a cybersecurity attack, but that is not true for all financial institutions.

There are a number of steps that financial institutions can take in order to mitigate IT security risks:

  • User awareness training: One of the most effective actions that any organization can take to reduce the risk of successful security attacks is employee and customer education. Strong awareness and education processes are critical actions to take to minimize the risks that social engineering poses. Training will differ, depending on the roles and responsibilities of the users, but an educated workforce and customer base are strong defenses against attacks.
  • Review and apply controls using a risk-based approach: To be truly effective, a risk assessment must get down into the weeds. A robust compliance program will evaluate—and periodically re-evaluate—threats in the entire universe of the banking system.
  • Identify weaknesses: If the bank doesn’t examine the weaknesses in their systems, the hackers will. There is a reason why the hackers used the ATMs owned by one bank to steal money from another institution—they knew that most systems would give them a few hours’ lead time before their withdrawals were reported. Understanding this weakness and implementing mitigating controls such as alerts could have at least minimized the damage inflicted by such an attack.
  • Add controls: Management must develop and implement controls that are designed to keep incidents from occurring and serve as a deterrent against unauthorized access. That said, it should also be assumed that these controls will eventually fail at some point. Therefore, detective controls will help to monitor and alert an organization of any malicious or unauthorized activity, including malicious activity—taken knowingly or not—by employees. In addition, corrective controls can help limit the scope of an incident and contain unauthorized activity.

With so much at stake—potential financial losses, compromised brand reputations, access to operational capital and possible regulatory violations—taking action is a business imperative.