What CEOs and Directors Should Know About Cybersecurity


cybersecurity-8-6-18 (1).pngAccording to Javelin’s 2018 Identity Fraud Report, identity theft reached an all-time high in 2017 with more than 16 million consumers being affected. On top of this, 24 percent of network breaches target financial institutions, according to Verizon’s 2017 Data Breach Investigations Report. This 1-2 punch combination is affecting banks of all sizes. The days of cybersecurity attacks only affecting the largest financial institutions are gone.

Criminal tactics are evolving and becoming more sophisticated. Increasingly, smartphones are targeted through spam text messages and a myriad of social media scams. These tactics could compromise the phone of a customer that may be accessing a mobile banking application or a bank employee accessing internal bank systems, such as email. The Internet of Things, or IoT, is the network of physical devices, vehicles, home appliances, and other items that can connect and exchange data. Criminals are compromising IoT to launch sophisticated cyberattacks against financial institutions and their customers.

As a bank executive or board member, there are steps you can take to fight back. It starts by recognizing your bank and your customers are targets and can become victims. As leaders, it is important to understand your responsibility to oversee the bank’s cybersecurity program and educate yourself on the current threats and trends. The following recommendations are the first steps to take as you oversee your bank’s cybersecurity program.

What the CEO should be doing

  1. The Financial Services Sector Coordinating Council has an Excel-based Automated Cyber Assessment Tool (ACAT) available for download at https://www.fsscc.org/. Ensure it is completed by management and updated at least annually.
  2. Management should develop a cybersecurity risk appetite and understand where the bank is exposed to the greatest risk.
  3. Oversee and monitor the bank’s cybersecurity program. Ensure a strategic and tested incident response program is in place.
  4. Challenge preparedness results by reviewing the ACAT and not accepting “baseline” control maturity levels as the desired control level. 
  5. Budget appropriately for cybersecurity preparedness. Compare the funding for cybersecurity controls to physical security controls. Assuming cybersecurity threats are greater than physical security threats, then funding of cybersecurity controls should be in parity with physical security investments.

What the board should be doing

  1. Consult with cybersecurity professionals to provide education on an annual basis.
  2. Ask the CEO and senior management to present the bank’s vision, risk appetite, and overall strategic direction for the bank’s cybersecurity program. 
  3. Review the results of ongoing monitoring of the bank’s exposure to and preparedness for cyber threats. Challenge the status quo and do not become complacent. Expect control proficiency levels to increase from baseline levels to evolving levels and higher. Criminals are not standing still and neither should you.
  4. Ensure proper budgeting of cybersecurity controls and review the bank’s cyber liability insurance annually.
  5. Ensure the bank’s systems are tested against cybersecurity threats at least annually and utilize the same techniques criminals use to break in.

What bank CEOs should know

  1. Where is our bank most at risk?
  2. Are our cybersecurity controls improving beyond baseline?
  3. Are we comfortable with residual risk levels?
  4. Are we reviewing the ACAT at least quarterly?
  5. Are our cybersecurity controls improving fast enough to outpace the evolving cybersecurity threats?

What the bank should be doing

  • Your bank should be a member of information sharing organizations such as Financial Services – Information Sharing and Analysis Center (FS-ISAC) and share information in bank peer group meetings. 
  • Work with cybersecurity experts to develop regular board reporting on cybersecurity threats and risk management.
  • Improve cybersecurity control proficiency beyond baseline. Remember that improvement does not have to be overly expensive.
    • Maximize the use of all currently available controls.
    • Do not wait on examiners or IT auditors to make you improve. It could be too late.

Many executives and boards feel unprepared to address cybersecurity threats and risks. The good news is there are many well trained and qualified cybersecurity professionals that can help you. Enact change where needed and provide ongoing oversight of the cybersecurity program at your bank. Doing so will go a long way towards ensuring your bank does not become another victim of cybersecurity attack.

IoT: Is Your Bank Ready?


internet-of-things-11-1-17.pngWhat if your fridge could sense the absence of a milk container and automatically reorder the milk for delivery? What if your car could sense the deflation of a tire, alert the driver and order roadside assistance service? IoT, or the internet of things, is a sensor-based technology that connects objects with sensors embedded in them for data transmission and monitoring over the internet.

IoT is making a lot of this possible. Bank boards should get ready for a future where many more devices are connected through the internet, which will increase exponentially the amount of transactions going through banks. Many of the security questions raised by the IoT-connected world have not been answered yet.

These sensors send and receive signals and carry interactions to and from other IoT devices or systems enabled with IoT technology. So, important implications of this technology are very large and continuous volumes of data flowing from IoT devices and impacting banking systems.

Some examples of impacts to banking systems include:

  • Banks will be improving features and capabilities to support more sophisticated consumer-based transaction processing, including IoT-based transactions.
  • With new banking technology integration and infrastructure investment, consumers will have increased access to detailed information regarding our most important IoT-based transactions and more options to manage finances surrounding these transactions.
  • Consumers will see new transaction reporting for IoT in our banking consoles.

Also, since IoT is an integrated form of data and information transmission, many new types of devices beyond common types such as cell phones, tablets and other kinds of mobile devices have the potential to tap into banking infrastructure.

Newer devices like refrigerator consoles or onboard computer systems in vehicles have the capability to transmit transactions for purchases that impact today’s banking architecture.

By one estimate, the market for IoT platforms, software, applications and services will grow from $170.57 billion in 2017 to $561.04 billion by 2022, a compound annual growth rate of 26.9 percent.

So, because of this, customers will need additional services on the banking side of IoT transaction processing to understand what types of transactions (and from which devices) are included in their bank accounts. Many of today’s customers are used to real-time bank account information and portal login for easy viewing of transactions. So, it is very likely that this new IoT capability for banking would be expected to come in at the same level for all forms of consumer banking.

Understanding how banking computer systems and infrastructure will be adjusted and upgraded to accommodate the influx of IoT-enabled transactions will play a crucial role in supporting customers and clients globally. Consumers will be most impacted by changes in retail and consumer markets. However, business use of IoT for financial transaction flows is also a growing factor. So, the combined business and consumer IoT sensor-driven transaction flows is an exciting area of banking and computing convergence that holds great potential for new and emerging global markets.

How Can Your Bank Tap Into the Internet of Things?


internet-of-things-3-28-17.pngThe Internet of Things (IoT) has officially moved beyond hype. IoT is now well known and defined—basically putting data-gathering sensors on machines, products and people, and making the data available on the Internet—and companies are already using IoT to drive improvements in operational performance, customer experience and product pricing. Gartner predicts we’ll see 25 billion IoT data-gathering endpoints installed worldwide by 2020.

While IoT is delivering on its promise in a wide range of industries, many bankers are still struggling to find the value in finance, an industry largely built on intangibles. We see two primary IoT opportunities for banks:

  • Direct use of sensor data (location, activities, habits) to better engage customers and assess creditworthiness.
  • Partnering with companies that manufacture or integrate sensors into products to provide payment services for device-initiated transactions.

Engaging customers and assessing creditworthiness
Like most businesses, your bank can simply use IoT to understand—and serve—customers better. Banks are already implementing smart phone beacon technology that identifies customers as they walk in the door. Customers who opt in can be greeted by name, served more quickly and generally treated with more personalized care. You can also take advantage of sensor data outside of the bank to market more relevant services to customers. For example, data from sensors could […]

This content was originally written for FinXTech.com. For the complete article, please click here.

How Can Your Bank Tap Into the Internet of Things?


IoT.png

The Internet of Things (IoT) has officially moved beyond hype. IoT is now well known and defined—basically putting data-gathering sensors on machines, products and people, and making the data available on the Internet—and companies are already using IoT to drive improvements in operational performance, customer experience and product pricing. Gartner predicts we’ll see 25 billion IoT data-gathering endpoints installed worldwide by 2020.

While IoT is delivering on its promise in a wide range of industries, many bankers are still struggling to find the value in finance, an industry largely built on intangibles. We see two primary IoT opportunities for banks:

  • Direct use of sensor data (location, activities, habits) to better engage customers and assess creditworthiness.
  • Partnering with companies that manufacture or integrate sensors into products to provide payment services for device-initiated transactions.

Engaging customers and assessing creditworthiness
Like most businesses, your bank can simply use IoT to understand—and serve—customers better. Banks are already implementing smart phone beacon technology that identifies customers as they walk in the door. Customers who opt in can be greeted by name, served more quickly and generally treated with more personalized care. You can also take advantage of sensor data outside of the bank to market more relevant services to customers. For example, data from sensors could alert your bank when a customer’s car goes into a repair shop; after the third service call, you might offer the customer an auto loan for a new car. This type of tailored service and marketing can change a customer’s relationship with your bank dramatically: Pleasant experiences and valued information are a time-tested path to loyalty.

IoT sensor data can also supplement traditional methods for predicting creditworthiness and protecting against fraud, especially for customers with little or no credit history. For example, if a small business HVAC contractor applies for a commercial loan, you can request access to data from shipping and manufacturing control sensors to track the flow of actual product into buildings. This can help the bank confirm how the business is doing. For product manufacturers, you can track and monitor goods, including return rates, and if the return rate is high the bank can adjust the loan pricing and decisions accordingly. Leveraging alerts on credit cards and processed payments can provide information about where and how often an individual or business is making purchases, providing clues about creditworthiness without requiring access to detailed credit card records. In short, with billions of sensors all over the world, IoT will offer you more data that can help you assess creditworthiness and prevent fraud.

Providing payment services for device-initiated transactions
To illustrate the potential of IoT, proponents often cite the “smart” refrigerator, which senses when a household is low on milk and automatically orders more. Similarly, in the commercial space, sensors can automatically trigger a call for maintenance when a piece of equipment is due for service. In these device-initiated transactions, your bank could partner with the providers to offer payment services as an integrated component of the IoT package.

On a more local level, as small businesses begin to take advantage of IoT sensors to automatically reorder supplies—paper, toner, medical supplies, salon products—your bank can tie payments into the IoT-triggered reordering system. In addition to broadening your market for payments, being part of this solution can strengthen attachment to your bank among small businesses in your community.

Start with the end in mind
This is undeniably an exciting time in banking. Between fintech offerings and IoT applications, it’s tempting to move quickly for advantage, but we all know that investments are far more likely to pay off when you treat the process with rigor and resist the urge to grab bright shiny objects. IoT is no different: Before you start buying systems and aggregating data, know what problems you’re trying to solve and what data you’ll need for the outcomes you want to achieve. In banking, the most promising returns on IoT investment are likely to be found in improved customer experiences and marketing effectiveness, reduction in loan default and fraud, and growth in your payments business. But with all the dramatic changes unfolding, who knows what innovations might be ahead—your bank might find opportunities for IoT no one else predicted.

 

Contributed by: John Matley, Principal, Deloitte Consulting LLP;Akash Tayal, Principal, Deloitte Consulting LLP;William Mullaney, Managing Director, Consulting LLP

Data Wars to Dominate 2017


data.png

It’s the start of 2017, and many people have already blogged their predictions for the year. I won’t repeat those predictions, as the future isn’t what it used to be, but I do find it interesting to look at the common themes across them all. The standout theme for me is that 2017 is the year of The Analytic.

Data analysis to be exact. Now you can get analysis paralysis if you dwell on this too long, but data analytics will be the fuel for everything else. Effective data analysis is core to being able to leverage artificial intelligence; data analytics will be the key to unlocking the internet of things; and data analytics is essential to chatbots, augmented customer experiences and enhanced services.

Think about it: How can you deliver a decent digital service if you don’t have the data to tell you what your customers want? This then becomes the essential challenge for all incumbent institutions as their customer data is often siphoned into silos. I know that for a fact, having spent 20 years trying to create bank enterprise data stores and services. Now some banks are beginning to wake up and embrace the data opportunity and threat but, for those who are comfortable with distributed data and no ability to analyze it effectively, here’s the hard truth: You will not survive.

I’ve believed this for a long time but, with each passing year, I am sounding the alarm bell louder and louder. After all, we have argued for decades that a consistent customer experience across channels is essential. We haven’t been able to deliver it, but we’ve tried. Now we are not even talking channels anymore, we are just talking about a digital foundation that everyone accesses through open marketplaces online. We have moved from a historical, closed and proprietary architecture to an open platform structure where everyone can plug and play. But how can they do that if the data is locked in old proprietary systems that are siloed and closed?

This is going to be a key conundrum for U.S. banks, which are arguing that the only person who can access customer data is the customer. That’s a great way to lock out third-party players, shut down the aggregators and block the open systems march. However, it strikes me as being like the king who has placed his army at the gates of the castle, while not noticing that the citizens are all leaving via the back door. What is the use of having a kingdom if there’s no one in it? And that is what will happen to banks that continue to have distributed data that cannot be leveraged.

The march of the fintech community, the regulator and the customer is towards easy, convenient, proactive and personalized financial providers. Those providers are increasingly like the Amazons of the world: they know their customers digital footprint and maximize their knowledge of that footprint to the hilt. In 2017, as we watch the progression of AI, machine learning, deep learning, chatbots and personalization, any bank that keeps its data locked up in a chastity belt is missing a trick.

Trends in Financial Technology to Watch


internetofthings.png

The FinXTech Advisory Group is comprised of several respected fintech leaders from around the globe, and we are honored to have Christa Steele, former CEO of Mechanics Bank in Walnut Creek, California, as a part of the group. During her time with Mechanics Bank, she improved core earnings 43 percent in a single calendar year, doubled the stock price, evaluated three separate and vastly different M&A combinations and in 2015 led the company through its successful sale to a Dallas-based investment firm at a market premium of 1.64x tangible book value. Since then, she has been involved in a variety of initiatives including alternative lending, robo-advisory, mobile/digital payments and blockchain. As a director for a mix of public/private company boards, and as an advisor to two blockchain organization, we asked Christa to share her thoughts on the future of banking and how blockchain will impact financial services. Here are her written responses.

What trends in financial technology should we all be watching?
The banking industry must adhere to the required paradigm shift being caused by digital, mobile, e-commerce and other robust cloud-based technology trends. The traditional bank financial model is under siege by competitors from outside the industry.

Did you know:

  • Online lender SOFI, which started out refinancing student debt and now funds home loans, offers wealth management services for a flat fee of $60 per year?
  • PayPal has more customer money than all but the 20 largest U.S. banks? Did you also know that PayPal’s deposits are not insured?
  • The transaction volume at Venmo, PayPal’s peer-to-peer payment processor, exceeds $1 billion a month and the company is now piloting a merchant program?
  • Mobile banking apps are becoming gamified to enhance customer engagement and attract and retain millennials?
  • Facebook Messenger is processing Bank of America client transactions and is said to be engaged with over 1,000 payment vendors to offer client services that interact through Messenger with a single sign-in process?
  • Over 60 of the world’s largest banks are testing a new technology called blockchain that could single handedly revolutionize how financial transactions are conducted today?

As a former bank CEO, what are some of the challenges that bank leadership teams must overcome during this period of digital transformation?
Each bank is different. Geography, economic trends, client mix (i.e., retail, commercial and wealth management), institution size and product offerings can all be different. My advice is to pay attention and understand how fintech is impacting client acquisition, client retention—and, ultimately, your bottom line. Evaluate whether your current infrastructure and growth strategy meets the needs of a digital world.

Based on your experiences, why is there so much time, energy and resources being spent on blockchain?
We’ve all been using cloud-based technology. I remember when banks were slow to move to the cloud at first because of their initial mistrust. Today we are centralized, but there are endless possibilities about where we go from here, including the use of open access IoT networks, public and a private system of records.

chart.PNG

Blockchain is a software that enables data sharing across a network of individual computers. A blockchain describes computers transferring blocks of records in a chronological chain aka a distributed ledger. A simple way to explain this technology is to think about vehicle assembly. Blockchain is the assembly line in the manufacturing plant. The end product is a car, or in the case of blockchain, an asset token.

How do you see blockchain impacting the banking industry holistically?
The impact of blockchain will not only affect banking, but we will see enhanced record keeping and data analytics, streamlined processes, cost saves and efficiency gains. Over the next several weeks, I plan to share a series of articles centered around the technology of blockchain and how it will directly impact the financial industry. I’ll take a look at how it works, why it matters, how to make it a reality and highlight some major players in the space. I look forward to sharing with you all the interesting and innovative movements around this dynamic technology.