Embracing Fraud Protection as a Differentiator

Community banks are under pressure from the latest apps or start-ups that attempt to lure customers away with features that they may lack: cutting edge technology, international capabilities and a digital-first approach.

However, much less attention is focused on where established banks thrive: compliance. It might not be as flashy as the latest app, but being able to offer customers a sense of protection is more valuable than many would believe. Main Street banks have long been integral parts of their communities, serving both local businesses and families through their people-first approach. These institutions are well known for reinvesting back into their communities, making them intertwined with their neighborhood. This approach is unique and solidified the reputation of these institutions as personable — a sentiment that remains today, even as tech giants grow within the financial sector. Established institutions have an edge as their long histories and reputations are deemed by consumers as more trustworthy than fintechs.

Public trust is a valuable asset, especially after high-profile data breaches in recent years and coronavirus scams. Payment scams suffered by banks and companies are typically front-page news and can cause significant damage to the business with costly fines and reputation harm. More than 75% of customers say security is a top consideration when choosing a financial institution. Interestingly, even if the organization is not directly at fault, consumers still consider them culpable. In fact, 63% say a company is always responsible for their data — even if the scam resulted from their direct actions, including falling for an email scheme.

$1 Billion Threat
The realization that banking customers hold their banks accountable for all types of fraud and scams may be surprising to some financial leaders. It underscores the importance of banks taking an active role in educating users, as well as protecting their own security behind the scenes.

One of the most common schemes is business email compromise: a cyber crime where a payee sends fraudulent banking information to a business or individual, who unknowingly sends funds to the wrong account. The fraud grew during the coronavirus pandemic as many businesses worked remotely for the first time and relied on email in place of phone calls or in-person interactions. The FBI reported $26 billion in losses in just a three-year period.

Such numbers should concern financial institutions, especially since these funds can be difficult to recover. These incidents are likely underreported, meaning the real figures are likely much larger.

Three Immediate Actions
Today’s challenging environment for financial institutions means that little focus is placed on non-revenue generating activities, especially with the emergence of new fintechs and start-ups. However, helping to ensure that customer funds are protected and providing them with preventative advice could become a huge value-add for banks.

  1. Though some banks do make information available on their websites or in-branches, this is often an afterthought. Showcasing your institution as an authority on these matters will emphasize your desire to put customers first — and they will take notice.
  2. Many customers ignore the threat of fraud because they do not see themselves or their business as a potential victim. Taking the time to explain how a scam targets each customer segment will demonstrate your institution’s ability to identify and mitigate risks to each person.
  3. Monitoring fraud is particularly difficult for many institutions because threats are constantly evolving. Working with larger partners can be an asset, as bigger organizations are more likely to invest both funds and personnel in monitoring and combatting scams.

Many misconceptions regarding fraud still exist, and customers may not realize they are at risk before it’s too late. Transforming your institution into their financial protector could be a low-cost — yet valuable — way to stand out.

What Banks Need to Know About Cyber Resiliency

In a world full of adversity, there is much to be said about the knowledge and strength it takes to overcome setbacks on an individual and organizational level — in short, resiliency.

That is especially crucial in an environment like cybersecurity, where the landscape is constantly changing. Banks must adapt to stay ahead of cyber threats through cyber resiliency.

The National Institute of Standards and Technology defines cyber resiliency as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” Today, organizations are complementing their cyber resilience strategies with security solutions that uphold their posture. While cybersecurity focuses on protecting information, technical devices, and systems, cyber resilience focuses on keeping business and resources intact amid industry failures and threats. Many dangers exist that can have a detrimental impact on your bank’s daily operations and overall reputation. The main three threats to your bank’s cybersecurity posture include:

  • Data Breaches: An unauthorized entry into an organization’s database that allows cybercriminals to access customer data.
  • Cybercrime: Organized crimes to steal, abuse, or misuse personal and confidential information.
  • Human Error: Employees fail to follow data privacy protocol and policies and accidentally sharing, leaking or exposing confidential information.

While these three are among the most prevalent risks, they are not alone. Your organization should educate employees about the malicious actors that exist in the cyberworld.

Pillars of Cyber Resilience
Your bank’s cyber resiliency posture cannot be assessed until you consider all the pillars that make up a proper strategy. Below are the five pillars of an ideal cyber resilience framework according to Security Intelligence:

  • Identify: Banks should have a strong understanding of all the resources that support the organization’s critical functions from both a business and cybersecurity standpoint.
  • Protect: Banks should safeguard all critical infrastructure services and information by implementing cybersecurity policies and solutions to create a robust layer of protection.
  • Detect: Banks should constantly monitor their enterprise network traffic for malicious activity, searching for any signs of data breaches or other significant threats. A cybersecurity solution will create a more effortless process for scanning your network.
  • Respond: Banks should respond to any significant threats or unsuspected activity in real-time.
  • Recover: Banks should implement disaster recovery and business continuity plans in case of a data breach or comprising cybersecurity incident.

By considering these five pillars, your bank will be well-suited to perfecting its cyber resiliency posture and ensuring it has all the resources and strength to bounce back from any potential setback quickly.

Taking Control of Your Cybersecurity Experience
The patterns of cyberattacks are evolving in response to changes in the cyber environment and the Internet of Things. For a more practical experience, your bank must consider the social and capital investments necessary to develop a cybersecurity strategy.

According to the Ponemon Institute, “organizations are making investments in technology that do not strengthen their cybersecurity budget based on the wrong metrics. Fifty percent of respondents say their organizations are wasting limited budgets on investments that don’t improve their cybersecurity posture. The primary reasons for the failure are system complexity, personnel and vendor support issues.”

It is not uncommon for security-related responsibilities to fall on employees. Ultimately, it is the company and the employees’ responsibility to protect their networks, servers, and personal and professional information. The key to building a better cybersecurity toolbox is rooted in the relationship between a cybersecurity solution and its users. An ideal cybersecurity solution should include elite features like one-touch compliance reporting and automation tools, integrated threat intelligence, around-the-clock monitoring search for leaked accounts on the deep and dark web, managed compliance, detection, and response, and fast deployment (90 minutes or less).

Prioritizing Cybersecurity
Having a strategy and system in place that continues running smoothly despite adversities directly reflects an institution’s cyber resilience. Your bank should be able to identify, protect, detect and react when facing cyberattacks. Investing your time, resources, and capital into cybersecurity solutions is an essential measure of success. It will ensure network security and protection. As stated in Security Magazine, information technology “should enable businesses to make informed decisions on how to manage cyber risk while continuing their growth agenda. Most directors or CEOs today realize the consequences on the bottom line apart from the damage to reputation caused by a breach or an attack.”

Proper growth always begins internally. Banks that normalize and implement security best practices can achieve cyber resilience. If your organization can adapt its traditional approaches to cybersecurity, it will be better equipped to recover from difficulties it may face. In the end, a quick bounce back is better than a long-term setback. So, what better time than now to act?

Goodbye, Wild West: Are You Prepared for a Cyberattack?

Financial institution security practices and policies have substantially evolved since popular media depicted robbers in the Wild West as masked men running down a dirt road with a sack full of cash.

The glorified bank robbery scenario has underpinned the traditional image of bank security: armed guards, panic buttons, armoured vaults and vans — all of which are necessary to protect consumers’ physical money, but do nothing to thwart cybercriminals from attacking.

In June of 2019, Boston Consulting Group’s “Global Wealthreport found that financial services firms were 300 times more likely the target of cyberattacks than other companies. This trend seems to be continuing, as an April 2021 article from Alloy found that high-risk new account applications were up 137% from March to December of 2020, as compared to the same time period during 2019. The Covid-19 crisis escalated workers’ transition to unsecured networks at home, forced consumers to move to digital channels and increased institutions’ risk appetite, among other factors.

Cyberthreats like data breaches, malware, ransomware, keyloggers, synthetic fraud, identity theft and trojans — to name a few — are continuously evolving over time. Attacks can happen at opportune moments, like when hackers find weaknesses in networks and firewalls to execute a data breach, or can sit unnoticed in bank systems, harvesting and tracking data over time.

Historically, banks have sought to mitigate the effects of cybercrime, like advising customers with compromised data to close their accounts and open new ones, or reset their passwords.

While these instructions were adequate in the early 2000s, they will not work in 2021 and beyond. Much further than repairing the damages a cyber incident causes, customers expect the incident not to occur in the first place.

Banks need to adopt proactive, real-time cybersecurity initiatives if they wish to retain customers, stay ahead of the cyberattack curve and protect their data.  It is not enough to perform an annual vulnerability scan. It is not enough to have two-factor identification. It is not enough to encrypt data. Cybersecurity practices must become an integral and consistent part of a bank’s overall strategy and culture if it wishes to keep customer trust and industry credibility.

But banks don’t have to venture into this endeavor alone. In fact, many don’t want to: Cornerstone Advisors’ 2021 “What’s Going On in Banking” report found that 70% of responding banks were interested in a fintech partnership that provided fraud and risk management services or products. An additional 20% were already engaged in one. When it came to data breach and identity protection services, 67% of banks were interested and 7% were already engaged.

Many financial technology companies are dedicated to working with banks to better secure data and assets. Their products span an incredible range, from completely managing and monitoring a bank’s network to software installation that verifies account data in real time. Just as cyberthreats evolve over time, cybersecurity measures are advancing beside it.

Three fintechs that have proven to work with banks in protecting their institutions from cyberattacks are:

Cimcor’s CimTrak Integrity Suite, which alerts an enterprise of potential breaches by detecting real-time changes to its information technology’s infrastructure. CimTrak monitors the integrity of critical files, folders, configuration settings, users, policies and authorized registry keys. It also offers complete visibility into a breach from detection to recovery, tracking and encrypting all of the forensic details of the attack and storing them in its database.

DefenseStorm, a cybersecurity company that consolidates security data from all of a bank’s data sources to provide a comprehensive view of online security. Its Threat Ready Active Compliance team co-manages and monitors the network in conjunction with the bank, so it doesn’t necessarily need to have a full-time cybersecurity officer or team on staff. DefenseStorm was selected as a finalist for Bank Director’s 2021 Best of FinXTech Awards. 

Illusive, a fintech that plants deceptive data — information that looks exactly like what attackers need to progress in a cyberattack — across a bank’s network, servers and endpoints, which are physical stopping points that include laptops, desktops, workstations and mobile devices, etc. Once attacked, Illusive detects and captures forensics from the compromised machine.

Banks are constantly put in high-risk situations, and one cyberattack could derail decades of relationship building. Finding the right technology providers to help thwart attacks, partnered with adaptive internal policies, procedures and training, could give a bank the proactive stance it needs to protect its data, assets and customers in the new Wild West of today.

*All three technology companies are included in Bank Director’s FinXTech Connect platform, a curated database of proven financial technology solutions that are working with banks to better connect them with digital offerings. Fintechs cannot pay to be included and are selected through an interview and vetting process. For more information, please email [email protected] with any questions, comments or concerns.

Guarding Against Virtual Viruses in a Pandemic

As healthcare experts work to mitigate the Covid-19 pandemic, the banking industry is faced with fighting other viruses.

Cyber attackers are known to be opportunistic, pouncing during times of anxiety and uncertainty. Rest assured, they won’t let up once the coronavirus has run its course. While information technology directors are focusing their attention on processing huge volumes of Small Business Administration loans and assisting bankers working remotely for the first time, computer virus and malware threats continue to rise. If not handled effectively, this could threaten the security of the financial system.

Dr. Anthony Fauci, head of the National Institute of Allergy and Infectious Diseases, cautions that Americans need to prepare for the possibility that Covid-19 could return — or even become a seasonal disease. With such prospects, savvy bank directors should familiarize themselves with their institutions’ data security and technology infrastructure. Here are six points to consider when assessing the future of their bank’s information security system:

Look again at business continuity plans. While your bank may have one, it likely did not consider the immediate worldwide demands for laptops and network hardware needed to configure remote work capabilities. Nor did these plans likely consider supply chain interruptions when factories shut down in Asia, where the virus was first detected. The lesson: If you wait until the next global emergency occurs, you might be too late. Plan now.

Consider the increased risk with more employees working remotely. The larger the inventory — coupled with less control of who uses the computer — the tougher it is to protect. An even more concerning practice is allowing bank employees to use personal computers to access bank networks. Firewalls, spam filters, anti-virus software and other security measures should not be determined by individual employees.

The Cybersecurity and Infrastructure Security Agency has issued guidance related to remote work and defending against Covid-19 scams. One of their tips is to ensure virtual private networks, or VPNs, have the latest software package and configurations, and that current anti-virus software is installed and up-to-date. Multi-factor authentication is another must-have for protecting your bank’s network.

Make sure you have enough IT support. Even before Covid-19, there were not enough qualified technical staff to fill available positions. The increased demand for remote connectivity has further stretched IT departments. Make sure your technology departments are fully staffed, or have access qualified outside help.

Be sure employees are hyper-vigilant. Attackers hope that more distance between coworkers will equate to guards being lowered. Ensure that employees are regularly reminded of social engineering, email and other current threats to increase top-of-mind awareness of cyber security.

Be aware that some attacks are physical. We typically think of cyberattacks occurring “invisibly,” through system networks and software. But at least one entity is now mass-mailing infected “free” USB drives to financial institutions. Remind employees to discard any hardware that comes from unknown sources.

Consider the benefits of cloud technology. A recent article in The Wall Street Journal described how remote-work capabilities could become more common as money tightens and daily operations need more flexibility. Cloud computing is both more efficient and flexible, and is easily scalable. Bank regulators have taken notice, saying that outsourcing such technologies gives banks more options.

Time will tell, but this may be a turning point for American business. As more workers have established a routine for working from home — and have found surprising levels of efficiency and productivity — it’s expected that this could become more of the norm, at least in the near term.

Some in the financial services industry have been slow to change; they may now be forced to out of necessity. It’s incumbent upon directors to champion for this flexibility and resiliency by ensuring their data security and information infrastructure is ready to handle it.

How Banks Can Use the Dark Web to Shed Light on Cybersecurity


cybersecurity-9-5-19.pngCyberthreat intelligence, or CTI, can give bankers a deeper understanding of the potential threats that face their business.

Whether it is knowing your enemy or learning about the latest malware, CTI provides information that can help executives make prudent, risk-based decisions. This information comes from the open internet as well as closed sources, including the darknet and dark web. Analyzing this CTI can produce insights and identify signs of a potential breach, leaked data or pending attacks.

The darknet is the part of the internet that is not accessible through conventional browsers and requires specific software or configurations; the deep web is the part of the internet that is not accessible through search engines. Some nation states, cybercriminal gangs and threat actors thrive in this underground economy through illegal activity that includes the sale of personal information, financial goods and illicit services. For bank’s CTI, the deep web and darknet are a treasure trove of breached information and threat indicators.

A vast majority of these cyberthreat intelligence sources contain goods and sensitive data stolen from the financial services industry. Potential financial gain drives bad actors to maintain a thriving marketplace built on illicit items, including debit and credit card numbers, identity theft services and banking malware.

While no tool or service can completely eliminate the risk of a data breach, integrating CTI into a bank’s cybersecurity program can make it more difficult to target and lower the likelihood of a breach. To get value from CTI, a bank can:

  • Identify the threat actors that are leveraging potential vulnerabilities in systems used by the financial sector;
  • Understand whether a particular organization or client is being targeted directly;
  • Detect active malware campaigns that could target the bank;
  • Learn where its customer and employee information may exist;
  • Find breached credit or debit cards on deep web or darknet marketplaces; and
  • Understand emerging trends regarding data theft.

There are a variety of ways that financial institutions can leverage, and directly benefit from, CTI. Some examples include:

  • Incorporating technical indicators of compromise into the company’s security information and event management system;
  • Briefing high-level executives on industry trends and providing intelligence on potential future attacks;
  • Providing intelligence briefings to security operation centers (SOCs), increasing the situational awareness of technical campaigns and bad actors;
  • Developing incident response scenarios;
  • Achieving timely integration with fraud teams to deactivate stolen credit or debit cards;
  • Working with law enforcement to remove stolen credit, debit or other financial information from the deep or dark web;
  • Segregating and limiting internal access to systems if an individual’s credentials are exposed;
  • Communicating with social media and marketing teams about exposed data; and
  • Implementing patches for known vulnerabilities that are discovered on external-facing systems and applications.

What does a successful CTI program look like at financial institutions?
Deep analytical CTI is usually not possible at small- to medium-sized financial institutions using the internal resources of their existing security teams, and is often outsourced to a vendor or third party. Outsourcing can provide some value-added actions, such as:

  • Identifying breached credit and debit cards or other financial information;
  • Monitoring chatter about C-suite executives;
  • Assisting in fraud prevention through credential theft;
  • Thwarting attacks planned by adversaries that uses new financial theft malware, ransomware or Trojans;
  • Examining reputational damage or brand-related chatter for an organization;
  • Identifying large credential data dumps or breaches;
  • Identifying or ascertaining stolen or fraudulent goods like blueprints, skimmers and physical devices, or sensitive data such as tax forms, personally identifiable information and protected health information.

CTI can provide a variety of actionable information that executives can use to make better cybersecurity decisions and assess their risk appetite. With CTI, bankers can prioritize initiatives, address budgets and create business strategies for securing customer, employee and client data. A deeper understanding of the threats they face gives companies a firmer grasp of the tumultuous cyber landscape and a clearer vision of how to prevent problems.

The Newest Exposure Facing Community Bank Boards


cyberattack-8-30-19.pngCybercrimes continue to pose the greatest significant risk to the banking sector, ranging from standard phishing attack to a newer ATM jackpotting schemes that manipulate a machine to dispense larger amounts of money.

Many of the losses originate through human error, so it is critical to ensure all employees are trained on the newest phishing schemes and how to best avoid them. Cyber liability insurance claims represented the largest increase in the percentage of total liability claims, according to data from the American Bankers Association, rising from 19% in 2017 to 26% in 2018.

Several of the most-recent examples of covered cyber claims began when a bank employee succumbed to a phishing attack. This is where the employee clicks on a link provided by what is perceived to be a trusted source, which downloads malware. The malware often causes a breach of network security, providing the perpetrators with complete access to a bank’s networks. In some scenarios, the malware freezes the bank’s systems, and extorts executives for a “consulting fee” to return access of the internal systems. The fee is often in the form of bitcoin or another form of untraceable cryptocurrency.

While that can be a significant expense to the bank, the more-common claim scenario includes the expenses associated with the breach of network security. These can include, but are not limited to:

  • Notification costs
  • Forensics expenses
  • Credit monitoring costs
  • Establishing of a call center
  • Hiring a public relations firm
  • Obtaining legal advice, ensuring all discovery is protected by attorney-client privilege

Most cyber liability policies will cover to both breach remediation expenses, as well cyber extortion costs, as long as the third-party providers are approved by the carrier.

However, the loss scenario does not have to be limited to extortion or post-breach remediation expenses. As reported in 2018, a regional Virginia bank fell victim to an ATM heist for a total loss of $2.35 million. The fraud was initially caused by an employee who fell victim to a targeted phishing email, which allowed culprits to install malware on bank servers. The malware allowed thieves to disable the anti-theft and anti-fraud protections, including 4-digit PIN numbers and daily withdrawal limits thresholds. The bank succumbed to two separate instances of ATM thefts from this intrusion into their computer systems. The first resulted in a loss of $550,000 over a holiday weekend; the second resulted in a loss of over $1.8 million.?

Recommendations:

  • Make sure your employees are trained, and retrained, on how to detect a phishing e-mail and what to do if they suspect the e-mail may not be legitimate.
  • If you have any network security third-party providers, confirm if they are already included under the cyber carrier’s panel counsel list, which is a list of pre-approved vendors with pre-negotiated rates. If not, try to get them added on a pre-approved basis. This would typically occur during the renewal of the cyber policy, not during a claim.
  • If there is a breach of network security, make sure the cyber carrier approves all third-party expenses in writing, in advance, to ensure they will indemnify the bank for those expenses.
  • If cybersecurity, cyber risk or cyber insurance is discussed during a board meeting, make sure to document that in the minutes of the meeting. We suggest that boards show that such discussions take place on a quarterly basis, which can result in those boards being viewed in a better light in the event of a cyber-attack.

Cybersecurity: What You Need To Know


cybersecurity-10-29-18.pngAsk most top bankers one thing that keeps them up at night, and many of them will say cyber threats and risks to their company’s cybersecurity is chief among them.

Even the biggest banks wrestle with this important issue, and breaches can have serious financial, reputational and regulatory ramifications.


security-10-29-18-tb.pngBasic Cybersecurity Protections
For most companies, the question of a cyber-attack is when or how many, not if. There are basic protections to have in place to prepare and defend against the risk of an event, but with ongoing and persistent risk of threats, its best to have a strategy practice for any potential event.

data-10-29-18-tb.pngUse Data To Protect Data
To mitigate the risks of cyber events and threats, using data-based model can be effective. Data can quantify the risk to the institution and make regulatory reporting more efficient. It can also make the threat identification process more efficient by highlighting areas of risk more easily.

cyber-10-29-18-tb.pngWhat is “Threat Intelligence?”
One of the toughest challenges in cybersecurity is maintaining an edge against potential attackers who are continually making their attempts more sophisticated and difficult to defeat. One way many companies maintain that edge is to collect and use “threat intelligence,” which is information that can help prepare and preempt potential incoming cyberattacks. But, you have to use the intelligence effectively.

talent-10-29-18-tb.pngThe Cybersecurity Talent Threat
Research, including that conducted by Crowe and Bank Director, has indicated that bank executives and boards have concerns about the capability and readiness of the bank and its employees to identify, prevent and respond to cyberattacks. Regardless of asset size, there are ways to find and prepare your employees for real and perceived threats.

finances-10-29-18-tb.pngFinancial implications
Just one breach can cost a company millions of dollars and untold more in other areas, potentially wiping out any projected revenue gains for the quarter, or longer. Analyses conducted my major firms have estimated a wide range of potential per-record costs for data breaches, making it difficult to truly project what any single event could carry in terms of financial impact. But some have been estimated to cost tens of millions of dollars, making the threat highly worrisome.

Cybersecurity should be if it is not already among the pinnacle talking points and areas of focus for your board. Without that preparation and ongoing discussion, your institution can find itself at risk that can harm your customers and your institution. But remember there is plenty of opportunity to prepare, secure yourselves and respond in the event of a cyber event.

How Financial Institutions Should Prepare For and Respond to a Cybersecurity Incident


cybersecurity-7-2-18.pngCybersecurity incidents and data compromises continue to plague financial institutions on a seemingly daily basis. Without a proper response plan in place, financial institutions risk significant damage to their reputation and operations, as well as serious potential liability from regulators and class-action litigation. This guide outlines the procedures financial institutions should implement to prepare for and respond to a cybersecurity incident.

It is crucial that financial institutions adopt a response policy to mitigate the harm of a cybersecurity incident. This policy should establish a response team, including an executive officer and technical and operational personnel, charged with handling all cybersecurity incidents.

Time is of the essence during any cybersecurity incident, and communication is vital to the response team’s effective handling and investigation of the situation. Each employee should know how to report an incident. Notification processes, responsible personnel, and other elements of the communications plan should be as seamless as possible to enable the cybersecurity response team to immediately investigate the potential incident and determine whether an incident actually occurred. As soon as the incident is confirmed, the team must immediately respond.

Determine the severity of the incident. The response team should first determine the severity of the harm and the type of incident that occurred. This will help determine the scope of response necessary to appropriately address the incident. The team should be sure to create a detailed record of all investigations and responses.

Mitigate the harm. The response team next should work to mitigate the harm on its systems. For example, the team can quarantine or isolate the compromised system, install security patches to prevent further incidents, update anti-virus signatures, and conduct a vulnerability analysis to identify elements of the system potentially at risk of a similar incident.

Establish lines of communication. Pre-determined and clear lines of communication, both internal and external, are critical to responding to an incident. The response team should also be in communication with appropriate auxiliary teams in the financial institution. For example, if the cybersecurity incident led to customer information being compromised, the response team should coordinate with the customer relations team to facilitate customer notification. Senior management should also inform the board of directors of the incident so that the directors can assist in developing a response strategy as appropriate.

When deemed necessary, the response team should also be in contact with third-party advisors, such as legal counsel or forensics experts. If the response team determines an incident has potentially compromised personally identifiable information or other legally protected information, the team should immediately contact legal counsel and the institution’s insurance carrier (unless instructed otherwise by legal counsel).

Review and repair vulnerabilities. After a financial institution has experienced a cybersecurity incident, it should evaluate system vulnerabilities by identifying the incident’s source and method. The financial institution should rectify or mitigate the risk of the vulnerabilities as soon as possible.

After addressing the incident, the financial institution should also evaluate its response team’s efficiency and effectiveness. Are there aspects of the plan that can be improved? Were the communication lines clear and efficient? How long did it take for the team to spring into action? How long did it take to implement the mitigation? Was the response team appropriately staffed? Answers to these and other probing questions will serve to better prepare the institution for the next incident and should provide the basis for improvements to policies and procedures.

Preparing in advance for a cybersecurity incident can mean the difference between quarantining the release of sensitive data and having the sensitive data released to the public; and because preparations help control damage even if a breach happens, they can also make the difference between a small, manageable cybersecurity incident and a large, cumbersome data breach that could severely damage the reputation and operations of the company.

Shelter From the Cyber Storm


cybersecurity-11-16-17.pngIn 2014, the Federal Financial Institutions Examination Council issued a statement on behalf of its members—including the Federal Deposit Insurance Corp., the Federal Reserve, the Office of the Comptroller of the Currency and the Consumer Financial Protection Bureau—recommending that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC), an organization focused on threat intelligence analysis and sharing. Cybersecurity has been a growing issue for the U.S. economy and the banking industry, and cyber intelligence is a significant focus of the organization, as well as natural disasters, such as the recent hurricanes that hit Texas, Florida and Puerto Rico. “Participating in information-sharing forums is an important element of an institution’s risk management processes and its ability to identify, respond to, and mitigate cybersecurity threats and incidents,” the FFIEC said in the statement. “Financial institutions participating in information-sharing forums have improved their ability to identify attack tactics and successfully mitigate cyberattacks on their systems. Additionally, these institutions have gained deeper insight into specific vulnerabilities and collected methods for identifying vulnerabilities on their systems and enhancing controls.”

Resources like FS-ISAC help banks learn from each other about the cybersecurity threats facing the industry. But what happens when hackers hit your bank, and customers’ data is compromised?

Sheltered Harbor, an affiliate of FS-ISAC based in Reston, Virginia, was established following a series of cybersecurity simulation exercises, called the Hamilton Series, which were conducted by the Financial Services Coordinating Council, in coordination with the U.S. Dept. of the Treasury and with support from FS-ISAC. “These exercises are tabletop simulations of possible events with the goal to exercise, in the classic sense of practice, and to identify vulnerabilities that should be addressed by the industry,” says Steven Silberstein, the chief executive of Sheltered Harbor. “Sheltered Harbor is the industry’s response for one of these vulnerabilities: to ensure business continuity for retail banking customers if an attack happens, and all defenses fail.” The organization partners with member banks to ensure their customers’ accounts are safe should a cyberattack damage the bank’s data. If a bank is unable to recover from such an attack in a timely manner, the bank’s customers would still be able to access their accounts through another member financial institution. The data is encrypted and remains private, and there is no disruption in service for the customer.

Much like its parent organization, FS-ISAC, Sheltered Harbor helps banks work together to ensure the safety of consumer data. Regulators don’t require that banks join, but Sheltered Harbor already represents 63 percent of U.S. retail bank and brokerage accounts, according to the organization. Membership fees are based on a sliding scale and are determined by the size of the financial institution.

In this interview, Bank Director Director of Research Emily McCormick asks Silberstein about lessons learned from recent cyberattacks, and the policies and procedures that institutions should have in place to protect customers if a cyberattack damages account data.

BD: What are some lessons that bank boards should take to heart following recent cyberattacks, including the Equifax data breach?

Silberstein: Bank boards should have a tight pulse on the organization’s cybersecurity preparedness and cyber hygiene. Many corporations have cybersecurity scorecards that are updated and shared with the board of directors. These scorecards enable the board to assess the security of the enterprise and make appropriate decisions about strategy, staffing and internal standards.

In this rapidly evolving cyber environment, it’s important to use the most advanced technology to protect all of the “doors” to your company. Utilize scorecards as living and evolving tools to maintain a pulse on preparedness, and always ask what could happen from a business point of view, not just a cyber point of view. I call this healthy paranoia.

BD: What information should be included on those cybersecurity scorecards?

Silberstein: Each organization needs a consistent framework to continually assess risks, report on them, and respond to current and future risks. These include internal and external risks, existing vulnerabilities and remediation programs underway, recent events and lessons learned, organizational challenges, and third-party risk. Additionally, an organization can measure its cybersecurity implementation using frameworks like the Integrated Adaptive Cyber Defense, or IACD, framework and/or the National Institute of Standards and Technology [NIST] cybersecurity framework. Using the IACD framework, financial institutions can quickly prevent, detect and respond to attacks that may impact customers using technical guidelines for application of commercially available automation technology tools and systems. The NIST framework is about assessing risk and developing a risk management plan. The two frameworks complement each other.

BD: What does it mean when a financial institution becomes Sheltered Harbor ready?

Silberstein: When a financial institution becomes Sheltered Harbor ready, it means that it has implemented the additional resiliency prescribed by the Sheltered Harbor specification. At a high level, the model empowers financial institutions to securely store and rapidly restore customer account information using an industry standard format. Consumers would then benefit by having access to their accounts and basic transactions rapidly restored after a major incident at an institution.

BD: What policies, systems and personnel does the bank need to have in place in order to make this work?

Silberstein: First, most institutions are using a service provider for core banking services. Most large service providers are already implementing Sheltered Harbor capability, so for these institutions the focus is mainly on the business continuity planning that is specific to the Sheltered Harbor Model.

For institutions running their own core processing, an additional process of extracting customer account data, then putting the data into a standard format, encrypting it and finally storing the data in a very secure fashion per the specification encompasses most of the work. The institution must do some resiliency planning and organize a backup core service provider. The Sheltered Harbor specifications provide the controls and processes needed to ensure interoperability.

BD: The initiative helps member financial institutions store secure customer data above and beyond existing practices. Why should banks, particularly community banks, invest in putting this into in place?

Silberstein: Our industry’s investment in protecting everyone connected to financial institutions is second to none. Nevertheless, we cannot guarantee 100 percent protection. So if a financial institution is severely disabled, we need a safety net like Sheltered Harbor to protect consumers, allowing them to continue to manage daily financial transactions in their lives.

How Big Data is Helping Live Oak Bank Prevent Hacking


hacking-8-9.png

While there’s a myriad of technologies and companies on the market trying to make banking data more secure and prevent hacking, knowing which technologies and partners to choose from can be a daunting task. With cyber criminals looking for any conceivable way to get into banking systems, monitoring for potential threats can seem almost impossible. Think of cyber security as a house with multiple “points of access” for potential burglars, like windows or doors. The problem is that each digital access point, from branch networks to remote data centers, presents a distinct set of cyber security problems. This often leads banks to involve multiple software, solutions and partners. The result can be a disjointed cyber security strategy where banks are spread thin dealing with multiple vendors and systems.

That’s precisely the issue that Live Oak Bank—a North Carolina institution specializing in small business loans—faced as the bank’s employees were looking to improve their cybersecurity. Part of Live Oak’s promise to its customers is top-notch cyber security, but with their systems, the bank struggled to gain visibility into every potential point of access that cyber criminals might seek to exploit.

“We really wanted to protect ourselves across the board,” recalls Thomas Hill, chief technology officer at Live Oak. “But we had to address each potential security issue with separate technologies, which quickly became overwhelming. You’ve got to monitor all these devices and systems all the time, and be on top of them if—and when—a hacker comes in.”

Hill and Live Oak began evaluating options to respond to breaches quickly when they happen, and possibly detect them ahead of time. They decided to partner with Seattle-based cybersecurity company, DefenseStorm.

“Live Oak needed visibility into all areas of its network to support company-wide security and operational activities,” explains DefenseStorm chief technology officer Sean Cassidy. “With branches, staff and data centers located across the U.S., [employees] had multiple systems to monitor each point of access. They needed a way to consolidate visibility into each system, while still allowing the systems to continue operating as intended.”

DefenseStorm’sstack of cybersecurity capabilities includes real-time incident reporting, automated initial threat response and—most importantly—a proprietary big data engine built specifically for banks to analyze metadata patterns that could be indicative of a hack. Live Oak was then able to aggregate all their cyber security logs and event data into one analysis engine—with the objective of increasing visibility of security threats, and speeding up reaction time to potential breaches. They did this by implementing software that aggregates data from existing systems, and places it all into a single, easy-to-monitor dashboard. Incident tracking for compliance purposes also became more efficient, allowing the bank to report cyber incidents to state and federal regulatory agencies sooner than before.

“DefenseStorm’s incident response system allows me to not only easily see data indicating a potential hack, it allows me to immediately assign it to one of our engineers,” says Hill of Live Oak. “It really empowers them to focus in-depth on potential threats and dig deep to see if there’s a hack underway.”

DefenseStorm also continues to provide Live Oak with 24-hour monitoring and support through its so-called Guardian team, who are also responsible for offering assistance in investigating—and uncovering—potential threats. The Guardian team provides advice and recommendations to Live Oak on how to better secure its network in the future. This underscores the trend of“threat hunting,” as businesses and organizations seek to be more proactive in how they monitor systems for potential hackers.

Live Oak’s previous security system was unable to perform accurate and timely security analyses, mainly due to the increasingly large amount of data traffic occurring on the bank’s networks. Reaction time to security incidents has been greatly reduced, says Cassidy.

Finally, one of the most unique parts of this partnership is that Live Oak has chosen to participate as a proof of concept customer for features and capabilities of DefenseStorm’s software that are in the final stages of development. “With all the tools and support they provide, DefenseStorm is really turning out to be a Swiss Army knife for us—and potentially the entire banking industry,” says Hill. “This partnership has been a huge win.”