Bank Buyers Take a Harder Look at Sellers' Cyber Defenses
Bank regulators will stiffen their requirements and identity theft will escalate, but banks will toughen up their defenses.January 5
The New York Department of Financial Services' letter indicating potential cyber rules are prompting concerns that the state's plans could lead to more stringent measures throughout the industry.November 18
While cybersecurity has already been part of bank exams for years, the Federal Deposit Insurance Corp. is highlighting it as a separate comment in order to ensure the issue is getting appropriate attention from bank executives and boards.November 12
Boards at community banks are being asked to have greater oversight of cybersecurity issues as data breaches continue to mount. The challenge is balancing such work with other demands.August 27
As bank consolidation revs up, acquirers are paying more attention than ever to how targets handle cybersecurity.
Concerns about exposure to cybercriminals have grown in recent years as retailers, such as Target, and banks, like JPMorgan Chase, have been victimized by security breaches. Anxiety over the possibility of such crimes is starting to factor into the way banks size up merger targets, industry experts said.
"Due diligence is all about risk management, and [cybersecurity] is certainly a growing hot button in the industry and with regulators," said Rory McKinney, co-head of investment banking at D.A. Davidson. "We're finding that our clients are paying more and more attention to this, because it is an important issue."
"We're asking questions now that we didn't ask five or 10 years ago," said Archie Brown, president and chief executive of MainSource Financial Group in Greensburg, Ind. "You have to understand the other bank's cybersecurity policies, procedures and protections. We have to … make sure we don't see any glaring risk."
A seller's protection against cyberattacks is largely viewed as a form of operational risk, which is sometimes overlooked as buyers focus on areas such as credit, said Trent Fleming of Trent Fleming Consulting. Buyers must evaluate a seller's technology, including its vendors, and practices, including methods for monitoring server traffic.
Acquirers also need to evaluate a seller's culture and educational approach to cybersecurity. For instance, a bank that has refrained from using tablets in the field should take time to discuss procedures with a target that has embraced that approach.
"We haven't seen a high tolerance of bank executives' delving down to that level of an acquired institution," Fleming said. "In today's environment there's more to consider than the quality of the loan portfolio."
Cybersecurity was something MainSource considered as it evaluated Cheviot Financial, a Cincinnati company it eventually agreed to buy. The $3.3 billion-asset MainSource even considered the security of messages containing confidential information sent between the institutions.
It's crucial to ensure that any potential seller takes cybersecurity seriously, Brown said. MainSource carefully trains its employees about basic security protocols to avoid inadvertently falling victim to a scam. Its executives want to know that any bank MainSource buys is equally careful.
"If there's an issue related to cybersecurity, then that may portend other cultural issues," Brown said. "We're going to assume those accounts and those customers, and we want to make sure there aren't any lurking issues."
East Cambridge Savings Bank in Cambridge, Mass., went through a rigorous due diligence process that included reviewing IT procedures before buying Chelsea Bank in February. Chelsea even started adopting East Cambridge's operational policies and procedures once an agreement was in place.
"It was a real concern to get to know and get comfortable with — and to monitor — their system," said Gilda Nogueira, president and CEO of the $973 million-asset East Cambridge. The Federal Reserve's "first question involved how we were monitoring their networks. They wanted to see how we were doing that. They didn't care as much about the loans as they did the cybersecurity."
The Fed declined to comment.
Cybersecurity can present reputational risks for acquirers, industry observers noted. If a seller had a breach that wasn't discovered until after a deal's completion, then the acquirer risks losing the trust of its customers — and possibly even accounts.
A buyer must be aware of a seller's potential vulnerabilities, said Vincent Hui, a senior director at Cornerstone Advisors. It is important to check a seller's policies and how well employees follow them, to avoid scenarios where a Trojan horse, for instance, is introduced to a buyer's system during integration.
"That's the other level people need to think of — how well do our policies mesh and how much does it cost to make them mesh?" Hui said. "It's also infrastructure and training. That all costs money and impacts the deal."
Increased attention to cybersecurity also has a financial cost. A buyer could be on the hook for damages caused by a breach that took place before a deal's closing, though insurance typically covers such instances. There could also be expenses tied to bridging technological gaps and providing education to a seller's employees.
Banks have to consider the risks that could arise after a deal is completed, said Sean Curran, a director in West Monroe Partners' technology infrastructure and operations practice. Potential exposure increases as a company adds personal accounts. The type of acquisition — ranging from a whole bank deal to the purchase of certain assets — also influences the amount of attention that should be devoted to cybersecurity.
Acquirers need to consider "what the security will look like once they integrate," Curran said.
Paul Davis contributed to this article.