Of all the American institutions being threatened by cybercriminals and their activities, banks are clearly the most targeted. Experts say financial services firms are hit by security incidents 300 times more frequently than businesses in other industries, with tens of millions of dollars being stolen from banks across the world each year.
“Cybercrime and cyber fraud are extremely prevalent issues in the banking industry,” says Nathan Horn-Mitchem, first vice president and information security officer at Provident Bank, whose corporate headquarters is in Jersey City. “By many measures, financial services is the most targeted sector of the US economy for cybercrime because, as the notorious outlaw Willie Sutton said, ‘That’s where the money is.’”
In the summer of 2014, a cyber attack on JPMorgan Chase – the nation’s largest bank – gave criminals access to sensitive data from the accounts of 76 million households and seven million small businesses. More recently, there were two broad online attacks involving Swift, the messaging system used to move money between thousands of banks around the world. During the second incident, which took place in February, attackers stole $81 million from the central bank of Bangladesh, compelling the Federal Reserve Bank of New York to move money to accounts in the Philippines.
These examples are just the tip of the iceberg. The rising number of online attacks has prompted banks to up their cybersecurity spending to unprecedented levels. Various news outlets report that Bank of America, the nation’s second largest lender, will spend $400 million on cybersecurity this year, while JPMorgan Chase expects its expenditure to double to $500 million in 2016. Citigroup’s annual cybersecurity budget has risen to more than $300 million, and Wells Fargo’s to about $250 million.
“Protecting systems from cyber attacks is a major focus for all financial institutions, with a lot of resources and energy put into that,” says Kevin Friedlander, northeast communications manager for Wells Fargo. “We work along with other entities – whether it be the government or other financial institutions – as protecting our customers’ information is a top priority.”
According to the “Banking & Financial Services Cybersecurity: U.S. Market 2015-2020 Report,” published by Homeland Security Research Corp. (HSRC), the 2015 US financial services cybersecurity market reached $9.5 billion and is expected to be the fastest growing non-government cybersecurity market, exceeding $77 billion in cumulative 2015-2020 revenues.
It’s not that cyber threats to banks are anything new; they’ve been around as long as the industry has been connected to the Internet. “It’s just that in the last couple of years, it’s become more newsworthy with very important businesses, Sony and JPMorgan Chase, being hacked,” says Kevin Runyon, executive vice president, chief information officer and head of banking services at Bedminster-based Peapack Gladstone Bank. “Therefore, bank regulators have set forth quite a bit of guidance for banks – protections like firewalls and network monitoring – which are looked at every time they’re audited, or a minimum of twice a year.”
In fact, banks are staying ahead of threats by collaborating with other banks and keeping a sharp eye on hacking trends. “A new attack type aimed at one bank will be used on other banks before the week is over, and the more information we share with each other, the better able we are to protect the industry as a whole,” Horn-Mitchem says. “It’s in every financial institution’s best interest to make cybercrime against banks difficult, expensive and mostly unsuccessful.”
One of the most significant rising threats is ransomware, a type of malware that can be secretly installed on a computer and that encrypts information and prevents or limits users from accessing their system – forcing them to pay ransom to regain access. Runyon says that while ransomware is dangerous for everyone, banks are somewhat insulated by sophisticated security and backup processes. Thus, the growing concern is for business clients. “We lend money to all types of businesses, and we don’t necessarily know what security they have in place. If they are hit with ransomware, it could cripple them – or even put them out of business,” he says. “This year, we’re offering formal programs, where we have clients come into the bank and hold education classes for them on cybersecurity.”
In addition to concerns about small business clients, banks have another, even more vulnerable victim to keep in mind: the individual customer. “We’ve gone from having to be worried about firewall protection [for ourselves] to hackers going after Joe Public, getting into his computer, watching what he does and using that information to go into his online banking,” says Daniel G. Beatty, senior vice president and chief operations officer for First Hope Bank in Hope. “The way the banking industry is responding to that is through customer training, making them aware this exists.”
Most banks have several consumer education tools in place. For example, Wells Fargo has a whole section on its website called “Fraud Prevention Tips,” which addresses everything from protecting your identity and your accounts, to being safe online and on your mobile device. “Sometimes people send out e-mails that look like they’re from the bank, but aren’t, or they’ll make a phone call and say they’re from the bank, but aren’t,” Friedlander says. “We’re educating the customer on fraud and how not to fall victim to it.”
Horn-Mitchem encourages consumers to limit their personal risk by designating a single computer for online transactions that can’t be used for social media, e-mail or downloading; keeping that computer up to date with patches and antivirus software; and setting up two-factor authentication with their banks, especially for high risk transactions like wiring money. Also, for those who like to do online banking on their mobile device, he urges them to download the bank’s app, rather than accessing its website, as it can be more difficult to spot a phony site on a phone’s relatively small screen.
“Finally, we all rely on e-mail to drive our business, but hackers use it to trick people all the time,” Horn-Mitchem says. “Have your employees follow up e-mail requests for money movement with a phone call to the sender. Don’t let someone impersonate your CEO, business partner or customer, and convince you to transfer money to their account by just sending an e-mail requesting the money.”
Ronald E. Schwarz, senior executive vice president/chief revenue officer of Oak Ridge-based Lakeland Bank, also warns about the dangers of identity theft, which he says is now surpassing drug trafficking as the No. 1 crime in America. Among his recommendations are the following:
Indeed, educating customers on how to avoid becoming a victim is now a top priority among banks across the board. As Beatty says, “We stress to customers that they need to be looking at their accounts. As much as our internal networks try to guess your shopping patterns, you’re the best person to monitor that.”
Overall, the banking industry needs to remain vigilant, continuing to strengthen firewalls, keeping employees from compromising security by going on public Internet sites, and closely monitoring customer activity while teaching those same customers how to protect themselves.
“Looking at what’s happened with other industries being hacked, we are very good at being able to react to situations,” Runyon says. “The idea is, first and foremost, to prevent any attacks, but in case something does happen, we have really robust and detailed plans to react to that event and minimize any impact.”