Two years in a row, Mike Morris and his team at the consulting firm Porter Keadle Moore dinged a client bank for what the firm saw as a potential security threat by allowing access to personal email accounts while using company equipment.
Then about a month ago, on a Friday afternoon, Morris, a partner and cybersecurity expert at PKM, got a call. The bank they had written up two straight years for the same potential security lapse had, in fact, been breached by someone using personal email on company equipment, exactly what they had identified as the possible threat.
Such cybersecurity threats are among the most serious for any institution for a multitude of reasons, from fiduciary responsibilities to reputation and beyond. Cybersecurity will be a common topic at the Bank Director’s 2018 Bank Audit & Risk Committees Conference, held June 12-13 in Chicago.
Morris has multiple stories about hacks and phishing scams that have in some way compromised personal data or a customer’s own money.
Another recent case: A customer fell victim to a phishing scam, and the source in China managed to wire $150,000 through another bank before they “got lazy” and tried to draw another $150,000 directly from the customer’s bank. The second transaction, thankfully, was caught by the bank’s compliance team in review.
“That’s happening on a regular basis, and it’s not a new trend, but yeah, it’s happening all the time,” Morris says.
Some of the financial services industry’s most experienced experts paint a dark picture about how prepared—or not—banks generally are for cyberattacks, or perhaps more generally, just threats to customer information that could ultimately pose a risk to the bank.
It’s not a new challenge for the industry. Banks have had training along with regulator attention and oversight for at least a decade on this topic, but with an increasingly vast digital footprint, troves of data and relationships outside the walls of the bank with vendors, the potential threats grow in parity.
“Firms that successfully introduce cutting-edge technologies need to infuse cybersecurity risk management practices throughout the entire development life cycle to identify and mitigate new risks as they emerge,” said Bob Sydow, a principal at Ernst & Young, in testifying before the Senate Banking Committee in late May. “This shift in mindset from thinking about cybersecurity as a cost of doing business to seeing it as a growth enabler is not easy, but it is the only viable path forward.”
The data about cyber threats—not to mention what seems like weekly headlines about data breaches—doesn’t help dissuade any worry that bank leaders or risk officers might have. The 2017-18 Global Information Security Survey by Ernst & Young found nearly 90 percent of some 1,200 bankers around the world said their cybersecurity function doesn’t fully meet their organization’s need. More than a third said their data protection policies were ad hoc or nonexistent, Sydow told senators, just weeks after Facebook CEO Mark Zuckerberg was on Capitol Hill testifying about Cambridge Analytica’s use of the social network’s user data.
“As banks and other financial services firms define their digital strategies, their operations are becoming ever more integrated into an evolving and, at times, poorly understood cyber ecosystem,” Sydow said.
That integration Sydow talked about is an area where there’s considerable risk, Morris says, that should be reviewed and understood by audit committees, risk committees, boards and other bank leaders. Financial institutions are working with an increasing number of third-party vendors for specific services or products, some of which require that vendor to access the data of the bank’s customers. That itself presents a risk, and boards should be especially careful when negotiating contracts that in early draft stages tend to favor the interests of the vendor but are often revised through the negotiation process.
Morris says it should be a top priority for banks to have a right-to-audit clause or confidentiality clause in those agreements, which gives the bank some authority to ensure the data to which they are allowing access is treated properly and kept secure. Boards should also take the opportunity to update or revise long-standing contractual agreements, like those with core system providers, when they come up for renewal.
Many institutions have lengthy contracts with their core technology providers, and with data security a preeminent concern, those renewals should be taken seriously.
“You have that moment of power when you haven’t signed an updated agreement that you can get some of these clauses put in there,” Morris says.