What CEOs and Directors Should Know About Cybersecurity


cybersecurity-8-6-18 (1).pngAccording to Javelin’s 2018 Identity Fraud Report, identity theft reached an all-time high in 2017 with more than 16 million consumers being affected. On top of this, 24 percent of network breaches target financial institutions, according to Verizon’s 2017 Data Breach Investigations Report. This 1-2 punch combination is affecting banks of all sizes. The days of cybersecurity attacks only affecting the largest financial institutions are gone.

Criminal tactics are evolving and becoming more sophisticated. Increasingly, smartphones are targeted through spam text messages and a myriad of social media scams. These tactics could compromise the phone of a customer that may be accessing a mobile banking application or a bank employee accessing internal bank systems, such as email. The Internet of Things, or IoT, is the network of physical devices, vehicles, home appliances, and other items that can connect and exchange data. Criminals are compromising IoT to launch sophisticated cyberattacks against financial institutions and their customers.

As a bank executive or board member, there are steps you can take to fight back. It starts by recognizing your bank and your customers are targets and can become victims. As leaders, it is important to understand your responsibility to oversee the bank’s cybersecurity program and educate yourself on the current threats and trends. The following recommendations are the first steps to take as you oversee your bank’s cybersecurity program.

What the CEO should be doing

  1. The Financial Services Sector Coordinating Council has an Excel-based Automated Cyber Assessment Tool (ACAT) available for download at https://www.fsscc.org/. Ensure it is completed by management and updated at least annually.
  2. Management should develop a cybersecurity risk appetite and understand where the bank is exposed to the greatest risk.
  3. Oversee and monitor the bank’s cybersecurity program. Ensure a strategic and tested incident response program is in place.
  4. Challenge preparedness results by reviewing the ACAT and not accepting “baseline” control maturity levels as the desired control level. 
  5. Budget appropriately for cybersecurity preparedness. Compare the funding for cybersecurity controls to physical security controls. Assuming cybersecurity threats are greater than physical security threats, then funding of cybersecurity controls should be in parity with physical security investments.

What the board should be doing

  1. Consult with cybersecurity professionals to provide education on an annual basis.
  2. Ask the CEO and senior management to present the bank’s vision, risk appetite, and overall strategic direction for the bank’s cybersecurity program. 
  3. Review the results of ongoing monitoring of the bank’s exposure to and preparedness for cyber threats. Challenge the status quo and do not become complacent. Expect control proficiency levels to increase from baseline levels to evolving levels and higher. Criminals are not standing still and neither should you.
  4. Ensure proper budgeting of cybersecurity controls and review the bank’s cyber liability insurance annually.
  5. Ensure the bank’s systems are tested against cybersecurity threats at least annually and utilize the same techniques criminals use to break in.

What bank CEOs should know

  1. Where is our bank most at risk?
  2. Are our cybersecurity controls improving beyond baseline?
  3. Are we comfortable with residual risk levels?
  4. Are we reviewing the ACAT at least quarterly?
  5. Are our cybersecurity controls improving fast enough to outpace the evolving cybersecurity threats?

What the bank should be doing

  • Your bank should be a member of information sharing organizations such as Financial Services – Information Sharing and Analysis Center (FS-ISAC) and share information in bank peer group meetings. 
  • Work with cybersecurity experts to develop regular board reporting on cybersecurity threats and risk management.
  • Improve cybersecurity control proficiency beyond baseline. Remember that improvement does not have to be overly expensive.
    • Maximize the use of all currently available controls.
    • Do not wait on examiners or IT auditors to make you improve. It could be too late.

Many executives and boards feel unprepared to address cybersecurity threats and risks. The good news is there are many well trained and qualified cybersecurity professionals that can help you. Enact change where needed and provide ongoing oversight of the cybersecurity program at your bank. Doing so will go a long way towards ensuring your bank does not become another victim of cybersecurity attack.

Unlocking Smartphone Secrets


mobile-apps-9-4-15.pngSoon, your bank may know more about you than you could imagine. Bank Director recently spoke with Stephen Burke, chief operating officer for Context360, a startup firm in San Mateo, California. Context360 uses a smartphone’s sensors to track user location and behavior, including what other apps the person is using on the phone and when. There are a variety of potential fraud and marketing applications for the technology. San Francisco-based Wells Fargo & Co. earlier this year awarded the company seed money to develop its platform for potential banking uses.

Tell me what Context360 does.
We started out three years ago focused on game developers trying to solve the problem called retention and engagement. Unlike the web, where web sites know where you came from and where you went [by] using cookies and various devices, apps are very much siloed. You don’t know where [users] came from when they open your app or where they go when they close your app. What if we could provide insights into what users do outside your app?

How does it work?
All smartphones have sensors. Once it’s installed and the user has accepted the permissions, it runs in the background. It collects changes in the phone’s state, like the phone moving, or logging in. If you open your mail app, that gets registered. Our license terms explicitly require our customers to get informed consent from the end users. I want to be very clear. We don’t have your contact lists, email content and we are not looking at SMS [text message] content. We just know that someone is spending two hours per day texting, but we don’t know the content of those texts.

I understand that Wells Fargo is interested in this as a way to prevent fraud, by knowing the customer’s location through the sensor in their smartphone and comparing that to where the credit card is being used, for example.
If you use the United app in the last few hours, that is a good indication that you might be traveling soon. We don’t know if it’s you. We know it’s your phone. If you have opted in to be directly recognized, if you are traveling a lot, you may opt to link your bank user profile with your smartphone profile.

So the bank app would know that I was doing something in an airline app, or that I had downloaded a boarding pass, so they don’t have to block my credit card when I travel to that city?
Yup. Or you could check into the Four Seasons hotel in London and because your phone is logged into the wifi there, we know it’s you. At the end of the day, your phone is you. It is the single most ubiquitous personal device ever. Similarly, if you travel back and your credit card continues to be used in London but your phone is in Tennessee, that’s a signal those charges should be blocked. We are in the middle of three weeks of testing for another use case, which is lead generation or cross selling. The example here is you suddenly have an interest in real estate apps such as Trulia or Zillow, and that’s a sign you might be in the market for a house. If I’m Wells Fargo, I have a new loan rate and I have 6,000 people in Tennessee who have been looking for real estate, so why don’t I send them a message right now that they should come in and talk to a loan officer now?

As a user, do you know what I’m searching for on the web?
No. We see the broad category, such as she just downloaded an app. But we don’t see what you’re searching for on the web.

But Wells Fargo is not actually using this with customers yet?
It is only being done with Wells Fargo employees in a trial. We’ve raised about $1 million to date including the seed funding from Wells Fargo. We have several other clients using our software and about 7 million active users on our platform right now, ranging from real estate apps, retail, to voice over IP and banking. We have about six game developers in the U.S. using it. We are in discussions with a large bank in the U.K. to do something similar to what we’re doing with Wells Fargo.