Banks Step Up to Meet the Cyber Threat Challenge

Cyber attacks for profit, and often these days for political purposes or even just for fun, have become alarmingly common in recent years. They are not only ubiquitous; attacks can take many forms. These include denial of service attacks, insertion of malware into a company’s system through innocent employee Internet searches, and taking advantage of critical security flaws in manufacturers’ software, to name but a few possible cyber risks.

No institution or individuals seem free of cyber attack risks. Victims of these crimes even include governments that spend billions on protection measures!

It should surprise no one that banks have become targets of these attacks. It will also surprise no one that banks take the cyber threat very, very seriously and have allocated a great deal of resources to protect themselves and their customers’ data. With the threats taking so many possible forms and coming from foreign as well as domestic sources, such protection is expensive and it sure isn’t easy.

Joe Mulrooney is senior vice president and chief risk officer at Northfield Bank. He is also chairman of NJBankers’ ERM (Enterprise Risk Management) Committee. “The threat is real and Northfield Bank and I believe all banks in New Jersey are taking it very seriously,” he says. We all “work hard to earn the trust of our customers, and a security breach/cyber event could be very damaging to a bank’s reputation and customer loyalty. An event could also result in business disruption, fines, legal costs and compensation claims.”

Bank regulators are focusing a lot of attention on cyber security as part of their safety and soundness examination of banks.

“NJBankers offers its members tools to assist their efforts in guarding against the ever-present and growing cyber security threat,” Mulrooney says. The association “has become a member of the Financial Services Information Sharing and Analysis Center, which provides timely updates on the top cyber risks and the current cyber threat level. NJBankers is [also] partnering with the New Jersey Office of Homeland Security and Preparedness, which recently established the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) to combat cyber threats. The NJCCIC also produces a weekly Cyber Alert, as well as daily Cyber Alerts when warranted.”

In the year 2000, with the growth of Internet banking, cyber security emerged as a growing threat, says Karen Rockoff, executive vice president and chief risk officer at Peapack-Gladstone Bank, and vice chairwoman of the NJBankers ERM Committee. “Bank spending on security measures has been growing at least by 3 to 4 percent per year since that time.”

Alas, preparation and prevention can’t easily be budgeted when it comes to bank recovery costs. She cites as an example, the hack of a national bank, related to credit cards, that cost millions of dollars.

One traditional way to mitigate risk costs, of course, is with insurance. But that option, when it comes to cyber risk, still doesn’t work all that well.

“The coverage is still limited,” notes Kevin Runyon, executive vice president and head of technology at Peapack-Gladstone Bank. “Insurance came along just about five years ago and only a couple of carriers now specialize in it; it’s still not cutting edge. Insurance for these attacks is still evolving and there are still so many exclusions. This is the Wild West of insurance.”

How are New Jersey banks handling cyber security? “Northfield Bank and banks in general are committed to making the necessary investments in staff and technology to combat these threats,” Mulrooney says.

Many banks like Northfield, he goes on, now have a dedicated chief information security officer directing their cyber security efforts. They are investing in vulnerability assessments, penetration testing, real-time intrusion detection and prevention technology and systems to monitor all critical network resources 24/7. Banks are instituting incident response plans and teams to manage any cyber event and, when necessary, notify customers. Banks are also ensuring their technology service providers (TSP) have appropriate cyber security programs, business resumption and incident response plans commensurate with the complexity of the services provided. Banks are also contractually requiring their TSPs to notify them immediately when breaches in security result in unauthorized intrusions.

Banks, Mulrooney continues, are also installing intrusion detection and prevention systems to detect and block exploit attempts. They have installed Internet web filters to block high risk sites and e-mail (SPAM) filters to block phishing e-mail and potential viruses. They are: installing firewalls and implementing access controls to limit external threats; monitoring critical network resources 24/7; and implementing two-factor authentication to reduce or eliminate unauthorized access to networks and information. Banks are also segmenting their network so that if one part of the network is breached, the integrity of the rest of the network is protected. Moreover, banks are locking backdoors (i.e., a loophole or security flaw in software) to ensure that all network trust relationships are well-protected.

Educating Bank Employees and Customers

Technology fixes to check technology-based cyber attacks is critical, but without also addressing the human factor, educating a bank’s own employees and customers to take their own defensive steps, technology protection could still leave open a lot of attack pathways.

Says Rockoff, “We work very hard on training and education for our employees. We also work hard educating our customers. As employee education for prevention of attacks grows, they can pass information along to our customers.

“Our weekly bank newsletter addresses security issues. We view all of our employees as risk managers for our bank and, importantly, our customers as well. For our business customers, we continually point out that ‘when you own the business, you own the risk.’”

“In every one of our branches, we have what we call ‘Fraud Days,’” she continues. “Customers can come in and discuss their cyber risk concerns and issues with a knowledgeable staff. Kevin and I also spend a lot of time with our senior managers on cyber risk. We are even planning a Security Awareness Month this fall, where we will emphasize [to our customers] prevention and detection, and what to do when a cyber event occurs.”

Mulrooney says human error is one of the leading causes of data breach and reinforces the need for employee training and customer awareness programs. We require all our employees, from the CEO to the tellers, to take mandatory information security training annually. Our IT (information technology) department has also created a “Security Center” on our website and a monthly Information Security Advisor newsletter that is sent to all employees and is posted on our website for our customers to read. It discusses topics such as: strong password management techniques; how to avoid phishing and social engineering attempts; keeping personal identifying information private; safe cloud computing; and other customer protection topics.

The resources and effort are significant and essential. But can a bank ever out-flank cyber security attacks? “Even the government that spends billions of dollars on cyber security has had some well-publicized attacks,” Runyon says. “The bad guys, unfortunately, are also always getting better.”

 

Related Articles: