A common consumer of news might assume that financial services hacking incidents are just a big-bank problem. Cyberintrusions of the largest institutions by sophisticated criminals and potentially foreign governments are well documented.
But community banks of every stripe should be on alert for a genus of attacks meant more for smaller institutions than bigger ones. On Nov. 3, the Federal Financial Institutions Examination Council issued a joint statement intended for community banks warning of the "increasing frequency and severity of cyberattacks involving extortion."
In such attacks, cybercriminals target the bank's funds rather than those of its customers. Through the installation of "ransomware," a cybercriminal can limit or even prevent the bank from accessing its computer systems. Alternatively, through a denial-of-service attack, cybercriminals can flood a bank's system to limit access. Once the malware is successfully implanted, the cybercriminal demands exorbitant payments in return for restoration of service.
The unique threats for community banks are especially relevant in light of policymakers' continued insistence on smaller institutions taking steps to improve cybersecurity. This pressing issue for banks of all sizes was addressed in a July speech by Deputy Treasury Secretary Sarah Bloom Raskin, in which she posed several questions for banking leaders to consider when assessing the state of their cybersecurity programs. They ranged from "Does our bank embed cybersecurity into our governance, control and risk management systems?" to "Have we trained our personnel on our cybersecurity policies?"
While the precautions and responses implied by her questions do not rise to the level of regulatory requirements, the practical reality is that a financial institution must be prepared to address each subject and defend its response.
For instance, the FFIEC Cybersecurity Assessment Tool referenced by Raskin is meant to be consistent with the FFIEC IT Handbook, the National Institute of Standards and Technology Cybersecurity Framework and "industry accepted cybersecurity practices." The assessment tool is designed to assist a bank in determining its inherent risk profile and cybersecurity maturity. Failing to consider the assessment tool's identification of the bank's inherent risk and cybersecurity maturity seriously jeopardizes the bank's ability to argue the institution complies with industry cybersecurity standards.
Some of Raskin's suggestions are common practice and easily within the reach of even the smaller community banks. Multifactor authentication for access to online banking is becoming, if it isn't already, the industry standard. Likewise, staying current on software updates is a fundamental responsibility of any IT department.
Equally achievable and expected is the implementation of cybersecurity training for all bank personnel. Such training includes the basics like teaching the importance of keeping passwords complex and secure, exercising caution in opening email attachments and following email links, and downloading only approved applications. Less obvious, but just as important, is educating employees to safeguard against low tech "visual hacking" — the inappropriate viewing of confidential information on documents left in the open or computer monitors not adequately screened.
However, community banks may face challenges in addressing Raskin's other questions due to their limited resources. Apart from the direct damage done to the bank by blocking its access and inhibiting operations, such an attack can prevent the bank's customers from online access to their accounts to check their balances, transfer funds or complete other transactions.
As devastating as these attacks can be to any financial institution, the cost to community banks can be especially catastrophic. A hallmark of community banks is their emphasis on individual customer relations. Maintaining the trust and confidence of customers is imperative to every financial institution, but it is the lifeblood of a community bank.
To address these concerns, the FFIEC last year provided banks with practical guidance on minimizing the risk of cyberattacks. While these recommendations were specific to cyberextortion threats, they equally apply to a broader range of cyberintrusions.
The FFIEC suggested banks conduct ongoing information security risk assessments; securely configure their systems and services; protect against unauthorized access; perform security monitoring, prevention and risk mitigation; update information security awareness and training programs, as necessary, to include cyberattacks involving extortion; implement and regularly test controls around critical systems; periodically review, update and test their incident response and business continuity plans; and participate in industry information-sharing forums.
While some of the FFIEC recommendations merely state the obvious, others provide useful insight into the actions a bank may take to lessen its cybersecurity risks. These include requiring all senior management to participate in regular discussions of the bank's unique cybersecurity risks, and its specific breach response plans. Banks should provide regular and mandatory follow-up cybersecurity training for all employees, supplemented with training sessions with internal bulletins and communications that focus on recently discovered industry cybersecurity risks.
Meanwhile, in addition to crafting a written breach response plan, in is critical that banks ensure that all persons with breach response obligations know their duties and the bank educates all employees on the procedures for reporting a breach incident. Finally, community should tap into the cybersecurity knowledge, expertise and resources of larger banks by attending, and preferably participating in, industry cybersecurity forums, webinars, seminars and listserv discussions.
Anthony (Tony) McFarland is a partner in the Nashville office of Bass, Berry & Sims PLC, where he serves as co-chair of the firm's Financial Institutions and Data Security & Privacy practice groups. He may be contacted at email@example.com or 615-742-6250.