There is no disputing that cybersecurity is a top concern for banks today.
Spending on digital protection continues to be one of the top line items in banks' tech budgets. Meanwhile, new regulations such as the ones proposed on Wednesday, continue to pop up with the intention of ensuring banks are more secure.
But some banks are trying to be more than reactive, completely rethinking how they're approaching cybersecurity. Instead of looking to build a fortress, banks are seeking a bigger grasp of the threats they face and developing strategies that go beyond pure defense.
Information security in banking "is no longer just about protecting the moat and the castle, it's knowing what's going on in the castle and, oh by the way, protecting the customer's castle, too," said Jim Ford, president and chief executive of Central Valley Community Bank of Fresno, Calif.
The $1.4 billion-asset Central Valley is pairing with its auditors to anticipate vulnerabilities. The bank works with RLR Management Consulting, which advises small-to-midsize banks on matters including technology. The firm helps central Valley prepare for regulatory exams, and conducts audits in various areas in an effort to offer best practices and recommendations to fix areas with issues and prevent them from occurring again.
That is something the bank couldn't do with its limited staff alone, Ford said.
"In the old days [IT exams] were much less strenuous," he added. "Now, regulators are really shifting the burden of cybersecurity onto the institution."
Ruth Razook, founder and chief executive of RLR, said one of her firm's priorities is to stay on top of regulators' ever-changing cybersecurity expectations so its clients are best prepared.
"We try to have a great relationship with the regulators," she said. "In the last five years we've seen some good regulatory guidance on this topic, and we try to translate that guidance and help banks adapt."
Catskill Hudson Bank in Kingston, N.Y., has invested in a "vulnerability management" solution from security vendor Tenable Network Security that allows it to get a broad-level view of its security situation. The bank initially partnered with Tenable to help it with regulatory audits, but now uses the technology to see where there might be gaps in its security network and work to patch them, said Ted Tomita, chief technology officer of the $452 million-asset institution.
"You have to be constantly monitoring and trying to detect anything [that could be a cyberthreat]," he said. "Ten years ago…[cybercriminals]were more like troublemakers; they weren't trying to breach your network and steal identities and large amounts of data."
Though Catskill Hudson is subject to New York's newer cybersecurity regulatory standards, Tomita said regulatory compliance is not driving the bank's focus on cybersecurity. The threat level is.
"Every day you hear about some organization being breached-- we decided that wasn't going to be us," he said. Tomita also added that often the regulations around cybersecurity "end up being useless; they don't cover what is actually happening in the world."
Effectively combatting cyberthreats involves spending smartly on technology as well as tailoring cybersecurity strategy to evolving threats, experts say. But smaller banks struggle with this burden.
"Only the top 10 to 20 banks in the U.S. have the resources to properly staff and create security teams to deal with what banks are facing today," said Eddie Schwartz, chief operating officer of WhiteOps, a security vendor. He is also the chair of the Cybersecurity Advisory Council for ISACA, an industry association for security professionals.
Banks face a number of new threats, Schwartz said. Cybercriminals are now much more sophisticated and "acting similar to nation-state groups." They are targeting areas where large amounts of money can be compromised, such as trading systems. Further, he said, trends such as the consumerization of IT and companies' usage of social media platforms, banks are "operating in a more complex world than before; they no longer have total control over everything."
For those banks without massive IT budgets, Schwartz recommends banks "look at where are the most vulnerable areas where cybercriminals and fraudsters are attacking banks successfully, and look to invest in technology there."
But investing in technology is only the beginning, he said. Banks need to formulate a strategy around combatting cybercrime, such as increased training for personnel on, for example, how to recognize activity that might look like it's being performed by a bot as opposed to a human.
This is where heightened attention to regulation could benefit banks, as it may spur more internal cybersecurity training. Schwartz said the "perfunctory" training done by many banks won't cut it today.
"To put someone in front of a computer once or twice a year to answer 10 questions is not an effective strategy anymore" he said.