As attacks against small business bank accounts in the U.S. rise, an increasingly hot-button topic is who is responsible for the losses. Consumers are covered by their banks of course, but many small business owners erroneously assume they are too. In response, some banks are stepping up publicity around their education and cyber response programs hoping to head off losses. "These are important for security and to build trust between the bank and the client," says Nancy Atkinson, a senior analyst at Aite.
Dallas-based Comerica Bank is one institution making this push. Bridgit Chayt, svp global corporate products, says "customers have always looked to banks for best practices on controls to prevent fraud." The bank has an ongoing program to share best practices around password protection and phishing. "We try to keep the awareness message in front of them," she says, though the bank needs to be judicial in its messaging. "If you see something every day you can become immune to the message."
That diligence is important because even Comerica, with all its education and response processes in place, can get ensnared in account theft controversy. Earlier this year, Experi-Metal Inc. in Sterling, Heights, MI, filed a lawsuit against the bank after a phishing attack circumvented the bank's two-factor authentication system and thieves stole more than half a million dollars in 2009.
The lawsuit alleges Comerica primed customers to become phishing victims by routinely asking them to click a link to update the bank's security technology. An EMI employee fell for a phishing scam that spoofed Comerica and claimed the bank needed to carry out scheduled maintenance of the banking software, the lawsuit alleges.
Atkinson says the biggest problem for Comerica is reputational risk, but the lawsuit could have broader implications. She explains that by law banks have to offer commercially "reasonable" security, but what is reasonable is open to interpretation. "This lawsuit will probably set the stage for what reasonable is," she says.
While Comerica officials declined to discuss the lawsuit, Chayt pointed out that "30 percent of the bank's business customers have been with the bank for more than 20 years, and [the education and cyber response programs] are helping us remain successful in a tough environment."
One aspect of the Comerica program that's been a particular success, Chayt says, is a once-a-year gathering of a hundred or more Comerica business customers to come together in person to swap war stories and share best practices. "They really appreciate the chance to talk to other customers," Chayt says.
George G. Surdu, evp and CTO of Comerica Bank, says that along with the educational program to help head off fraud, the bank has a cyber incident response team that's poised to move swiftly when a breach of any sort is detected. The so-called "event management program" has four elements: event notification, triage, response and lessons learned.
What makes the team work, Surdu explains, is having a clear communication structure that broadcasts trouble and assembles the core team. "The roles and responsibilities need to be clearly defined so we're working in lockstep."
The initial event notification that puts the cyber incident response team into motion can come from anywhere in the bank, through the business side where fraud is suspected or uncovered, through the security team itself, or through some reported anomaly detected on the technology side. No matter where the tip comes from the team mobilizes quickly through predefined call trees and audio conferencing to triage the situation and set priorities.
In the response stage, the team breaks into two parts operating concurrently. There's a "technology bridge" in which team members assess the technology implications of the breach. What kind technology was behind the breach, what vulnerabilities did the technology exploit, how and why did it succeed? There is also a "business bridge" in which team members address the business implications of the breach. What processes need to be changed and who at the bank and among customers needs to be told? All these questions help to "define a set of actions," Surdu says.
Finally, there is the lessons learned phase. Surdu says "virtually every event is different" so there's almost always a new takeaway to improve the process. Even when the event is routine "we still go through the lessons learned phase to keep ourselves fresh and alert," he says.
