Information Technology for Directors Q1 2020

January 6, 2020




2020 will be like 2019 – More Threats and Greater Risk than Before

The risks banks face today from cyber threats are greater than at any time in the past, and these risks are growing. The first 6 months of 2019 reflected a 54% increase in data breaches over the same period in 2018.1 

Nation states, terrorist organizations and organized crime have all moved online and have a varying degree of cyber warfare capabilities at their disposal. Nation states and their proxies seeking to use cyberattacks is a real threat as we start 2020. 

“One of Iran’s most likely and potentially potent forms of response is with cyberattacks, either against the U.S. government, its allies, or private companies responsible for infrastructure including in the banking and energy sectors,” according to former government and cybersecurity experts quoted in an article from the Wall Street Journal about Iranian retaliation for a U.S. military strike.2

Directors are ultimately responsible for managing cyber risk at their institutions. Similar to adjusting credit standards in anticipation of an economic downturn, cybersecurity should also be managed in a similar manner with directors devoting more attention to technology risks when risk levels are anticipated to increase.

40% of the Matters Requiring Attention (MRA) Citations Were for Operational Reasons

Bank regulatory agencies continue to see operational risk, driven by cybersecurity threats, as a top risk. The OCC’s Semiannual Risk Perspective Publication identified Patch Management, Network Configuration and Access Management as specific areas that banks are challenged in effectively addressing.3 Federal Reserve IT examiners at an industry event in St. Louis commented about cyber being the No. 1 risk for banks, and the FDIC’s vice chairman commented in a Washington, D.C., presentation that cyber risk was a top threat as well.

Want to know more? Ask us for BankOnIT’s Regulatory Update on the OCC Semiannual Risk Publication.  

Other Potential Contributors to Elevated Operational Risk

The Semiannual Risk Perspective also identified potential economic pressures that may challenge banks in maintaining or increasing profitability and warned that cost-cutting strategies aimed at enhancing near-term returns should balance profitability with the maintenance of proper controls.   

One Silver Lining of the Cloud is Increased Efficiency

The use of third-party service providers has increased efficiency for many banks and allows institutions to leverage technical expertise necessary to offer sophisticated products and services, according to the OCC report.3

Could your institution benefit? Ask us for more information about how a cloud computing solution designed specifically for financial institutions helps increase efficiency.   

Vendor Due Diligence is Essential 

Today, more than ever, competent third-party vendors provide network technology services that financial institutions cannot obtain on their own. However, third-party vendors can also contribute to increased risk if they do not have internal controls and proper oversight in place. Performing solid due diligence is essential, and there are lots of questions you should be asking. One of the first checks should be to determine if a technology firm is designated as a Technology Service Provider (TSP). TSPs receive regular examinations from bank regulatory authorities.

Contact us for a risk assessment questionnaire and guide that will help you analyze third-party technology vendors.

Attacks are Becoming More Sophisticated

Another state banking association email account was recently compromised, putting banks, their employees and others at an increased risk for social engineering, ransomware and other cyber-threats. 

Association email accounts are being targeted because they have a large number of bank email addresses, and bankers tend to trust emails from an association. With attacks coming near the end of day on a Friday, these sophisticated attacks are designed to get around the systems and training a bank has in place to defend against such attacks. 
 
It’s not only your bank’s third-party providers that need to be managed, it’s any customer, person or entity you interact with online. 

Creating a Cybersecurity Culture: Consequence or Reward?

Regulators expect bank boards of directors and senior management to foster a strong cybersecurity risk culture. Regulators want technology risk managed in a way that credit risk or other traditional risks are managed in the bank – with board involvement.   

The big question: How do you create a strong cybersecurity culture with your employees?

Some institutions reward employees for proactively identifying a cyber threat. Other institutions are more stick than carrot and have implemented a three-strike rule, with the third strike being termination for employees who fail testing.  

Cybersecurity tests can be designed to fail users. And what do your employees think of a test designed to trick them rather than help them? Think about the outcome you want to achieve. Choose a path that best fits your institution’s needs and culture. 

The Final Word

Cyber threats also impact your business customers. In Colorado, more than 100 dental offices suffered a ransomware attack. They had a common factor – they all shared the same third-party technology provider. Texas, California and other states have seen similar types of attacks.

Many businesses use third-party providers for IT help, and many of those decisions on whom to use are based on price rather than on capabilities, internal controls, oversight or other indicators of having the ability to create successful outcomes. If you have a business client that is impacted by ransomware and can’t access critical business records, perform payroll functions, or transact account receivable or payable functions, how long would they stay in business? Does your institution consider a customer’s cybersecurity awareness in credit decisions? 

Have questions? Contact us at Solutions@BankOnITUSA.com, or 800.498.8877.*

 

*If you’d like to receive the Information Technology for Directors publication directly in your email inbox, please email us at Guidance@BankOnITUSA.com.


References:
1 https://www.forbes.com/sites/extrahop/2019/11/14/data-security-breaches-statistics-you-need-to-know/#32e1f53e3f88
2 https://www.wsj.com/articles/pompeo-says-strike-aimed-to-reduce-tensions-in-middle-east-11578072134
3 https://www.occ.treas.gov/publications-and-resources/publications/semiannual-risk-perspective/files/semiannual-risk-perspective-fall-2019.html

 

Contact Us

Discover for yourself how BankOnIT helps banks.
Contact us today using the secure form, or give us a call.

Toll Free
800.498.8877





Information Technology for Directors Q1 2020 | Articles