Controlling costs will once again be a top priority for community banks in 2008, but there's one area where many are sparing no expense: protecting customer data.
Spooked by incidents of mass data breaches and stories of hackers infiltrating bank databases, community bankers continue to invest heavily in security-related technology, such as fraud detection software and multifactor authentication systems for their Web sites.
Bankers say criminals worldwide are constantly probing for weaknesses in banks' firewalls and that they have to be ever vigilant in securing sensitive customer data.
"The loss of cash in a robbery can be covered by insurance," said John Buhrmaster, president of First National Bank of Scotia in New York. "You'll make some more money tomorrow. But if you lose data, that's reputation risk, and that's very hard to get around. That's what keeps me up at night."
Mr. Buhrmaster and other bankers say security technology purchases are eating up so much of their IT budgets that they are putting other IT purchases on hold.
A Colorado bank that recently discovered high-tech "intrusions" said that its IT security spending has doubled in the past year and that as a result it is not handing out bonuses this year.
Christine Barry, the research director of wholesale banking for Aite Group in Boston, said that in an IT survey released earlier this year, 28% of the community banks said they were replacing or planning to replace their fraud detection technology over the next three years.
"There's certainly much greater focus today than there was a few years ago, across the board — from the largest institutions down to the smallest community banks," Ms. Barry said. "A lot of these new deployments are being driven by customer demand: Customers want to know their banks are doing more than just providing password security to protect their information."
Some of the more popular IT security purchases include software that tracks employee movement and real-time fraud decisioning software that monitors credit and debit card transactions and can allow banks to turn down authorization for a transaction in real time, said Derren Jones, the director of fraud strategy for the payments software company ACI Worldwide Inc. of New York.
Neural network scoring engines that flag different types of transactions based on model and probability factors is also popular, he said, adding that when bankers are making out their IT budgets to buy, fraud- and security-related technology tend to get first priority.
Of course, there is more to IT security spending than just investing in new technology.
There is also the cost of auditing the systems to make sure they are working effectively and documenting the results for regulators. At First National of Scotia, technology costs such as securing firewalls go up 20% every year, Mr. Buhrmaster said, while auditing costs are increasing 30% to 50% a year.
That explains why the $288 million-asset First National of Scotia has put off buying a new document-retrieval system for another year.
"It's been on our list of things to do for the last couple of years, yet each time we go to look at it, we have some regulatory requirement that's facing us and money goes there," Mr. Buhrmaster said. "I'd like to actually replace it before it stops working. But you have to make decisions, and protecting data is critical."
Bridge Community Bank, a unit of Mechanicsville Bancshares Inc. in Iowa, has put off buying software that lets customers see recent transactions in real time or near-real time, said Robert Steen, the holding company's chairman and chief executive.
This year alone the $53 million-asset Bridge bought two new fraud detection systems, one for its debit card network and one for its online bank system.
Mr. Steen said that direct hard dollars it spends on data security "easily exceed" 5% of the company's noninterest expense. That's a "significant number" for a small bank, but the larger point, he said in an email Thursday, is that these systems "do not operate on their own.
"Our human resources that go to monitoring, updating and dealing with alerts — many times including dealing with the inconvenienced customer — take a huge toll on our staff," he wrote.
For any bank that is on the wrong end of a data security related incident, any sense of choice about whether or not to boost spending in that area can evaporate.
The $257 million-asset Valley Bank and Trust in Brighton, Colo., discovered "intrusions" by hackers earlier this year, though no confidential information stolen, said president and CEO Donna Petrocco.
The bank was forced to spend about $350,000 over five months to replace every single hard drive in the bank.
"We greatly underestimated what kind of financial resources we needed to commit to IT" security, she said. "It could have been so much worse. It was an expensive learning experience. We are budgeting now for continued improvements."
Julie Dirrim, Valley's chief financial officer, said its IT security spending has doubled in the last year, accounted for about 15% of its overall budget this year, and would be about 10% of the budget in 2008.
Ms. Petrocco said the extra costs this year will not affect spending on other IT projects, but "nobody's getting bonuses" this year, she said.
Ryan McNaughton, the network manager for the $196 million-asset North American Banking Co. in Roseville, Minn., said banks have no choice but to spend whatever it takes to secure sensitive data.
"You can save all the money you want by going as cheaply as you can and doing the minimum in security, and that's fine until something goes wrong," he said. "Then you end up with T.J. Maxx."
