-
The Federal Financial Institutions Examination Council issued a joint statement Tuesday advising financial institutions to take steps to defend against cyber-ransom attacks.
November 3 -
Boards at community banks are being asked to have greater oversight of cybersecurity issues as data breaches continue to mount. The challenge is balancing such work with other demands.
August 27 -
Bankers are increasingly concerned that an optional cybersecurity assessment tool released by regulators this summer could soon become mandatory.
October 16
A common consumer of news might assume that financial services hacking incidents are just a big-bank problem. Cyberintrusions of the largest institutions by sophisticated criminals and potentially foreign governments are well documented.
But community banks of every stripe should be on alert for a genus of attacks meant more for smaller institutions than bigger ones. On Nov. 3, the Federal Financial Institutions Examination Council issued a
In such attacks, cybercriminals target the bank's funds rather than those of its customers. Through the installation of "ransomware," a cybercriminal can limit or even prevent the bank from accessing its computer systems. Alternatively, through a
The unique threats for community banks are especially relevant in light of policymakers' continued insistence on smaller institutions taking steps to improve cybersecurity. This pressing issue for banks of all sizes was addressed in a July speech by
While the precautions and responses implied by her questions do not rise to the level of regulatory requirements, the practical reality is that a financial institution must be prepared to address each subject and defend its response.
For instance, the
Some of Raskin's suggestions are common practice and easily within the reach of even the smaller community banks. Multifactor authentication for access to online banking is becoming, if it isn't already, the industry standard. Likewise, staying current on software updates is a fundamental responsibility of any IT department.
Equally achievable and expected is the implementation of cybersecurity training for all bank personnel. Such training includes the basics like teaching the importance of keeping passwords complex and secure, exercising caution in opening email attachments and following email links, and downloading only approved applications. Less obvious, but just as important, is educating employees to safeguard against low tech "visual hacking" — the inappropriate viewing of confidential information on documents left in the open or computer monitors not adequately screened.
However, community banks may face challenges in addressing Raskin's other questions due to their limited resources. Apart from the direct damage done to the bank by blocking its access and inhibiting operations, such an attack can prevent the bank's customers from online access to their accounts to check their balances, transfer funds or complete other transactions.
As devastating as these attacks can be to any financial institution, the cost to community banks can be especially catastrophic. A hallmark of community banks is their emphasis on individual customer relations. Maintaining the trust and confidence of customers is imperative to every financial institution, but it is the lifeblood of a community bank.
To address these concerns, the FFIEC last year provided banks with practical guidance on minimizing the risk of cyberattacks. While these recommendations were specific to cyberextortion threats, they equally apply to a broader range of cyberintrusions.
The FFIEC suggested banks conduct ongoing information security risk assessments; securely configure their systems and services; protect against unauthorized access; perform security monitoring, prevention and risk mitigation; update information security awareness and training programs, as necessary, to include cyberattacks involving extortion; implement and regularly test controls around critical systems; periodically review, update and test their incident response and business continuity plans; and participate in industry information-sharing forums.
While some of the FFIEC recommendations merely state the obvious, others provide useful insight into the actions a bank may take to lessen its cybersecurity risks. These include requiring all senior management to participate in regular discussions of the bank's unique cybersecurity risks, and its specific breach response plans. Banks should provide regular and mandatory follow-up cybersecurity training for all employees, supplemented with training sessions with internal bulletins and communications that focus on recently discovered industry cybersecurity risks.
Meanwhile, in addition to crafting a written breach response plan, in is critical that banks ensure that all persons with breach response obligations know their duties and the bank educates all employees on the procedures for reporting a breach incident. Finally, community should tap into the cybersecurity knowledge, expertise and resources of larger banks by attending, and preferably participating in, industry cybersecurity forums, webinars, seminars and listserv discussions.
Anthony (Tony) McFarland is a partner in the Nashville office of Bass, Berry & Sims PLC, where he serves as co-chair of the firm's Financial Institutions and Data Security & Privacy practice groups. He may be contacted at