CEO Update - Q4 2023

Most financial institution CEOs do not believe their institution uses Artificial Intelligence. Their employees know differently.

Writing credit memos, preparing board presentations, and creating public-facing communications are only a few of the ways financial institution employees use AI tools such as Chat GPT. Why? Employees have found that it makes their jobs easier and allows them to finish tasks more quickly.

There has been a significant increase in the number of visits to AI web pages such as Chat GPT over the past 12 months. CEOs may want to consider inquiring of their employees across different departments if they are using AI tools such as Chat GPT and, if so, how those tools are being used and if there is personally identifiable information (PII) that is being input into those applications (applications such as these retain ownership and use the information that is input into their applications).

Biden directs the CFPB and other agencies to "…consider using their authorities" in an executive order on artificial intelligence.

The order is wide-ranging and directs agencies to set standards and best practices for fighting consumer fraud, develop advanced cybersecurity programs to find and fix vulnerabilities in critical software and improve telecom resiliency.

The order also directs agencies to ensure compliance with existing federal laws protecting against bias in underwriting and appraisals and consumer privacy requirements. Additionally, the order requires agencies to issue guidance within 180 days "to combat unlawful discrimination" resulting from AI used in decisions about housing access and other real estate transactions. ^{1 2}

You can make the decision on Artificial Intelligence or have it made for you.

It is a CEO and board-level decision on whether the institution wants to use AI and to what extent. Discussing current and future uses of AI technology, as well as risk assessing those activities and creating policies about the use (or non-use) of AI, is going to benefit your institution.

Will your bank be challenged during your next IT exam? Will you lose your cyber insurance coverage?

Using Multi-factor Authentication (MFA) for access from outside the network with VPN connections and on the internal side of the network is critical for three reasons:

1. It is a proven defense against ransomware, strengthening cyber defenses;
2. The regulators are looking to see that MFA is in use both for external and internal access during the IT examination process—the lack of either internal or external MFA will result in a more difficult IT exam;
3. Your institution has likely already attested to your cyber insurance carrier that MFA is used for both external and internal access, creating a gap in coverage if both are not in place.

Simple and Free – an additional tool to help strengthen your cyber security posture.

The Conference of State Bank Supervisors (CSBS) announced an update to the Ransomware Self-Assessment Tool (R-SAT V2). It is available for free to every financial institution on the CSBS website. ³ This tool, the second version, helps institutions assess their ransomware risks. While not a requirement, IT examiners will be looking for it. Utilizing the self-assessment tool and documenting the results in the IT committee and board meeting will help your institution get the best possible results from your next IT exam. Plus, it is free and easy, so why not do it?

Cyber Warfare – Is your institution at risk?

Similar to Russia's invasion of Ukraine in 2022, there has been a significant increase in denial-of-service attacks against government and consumer websites, as well as an increase in cyber-attacks against industrial control systems and critical infrastructure in Israel. ⁴

Denial-of-service attacks are where attackers send more traffic to a website server (such as an online banking server) or other internet-facing servers than it can handle, effectively knocking it offline and making it unavailable to legitimate visitors to the site. U.S. banks were previously targeted after a successful cyber-attack was launched against Iran's nuclear program; it was suspected that the Iranian government was behind the denial of service on U.S. banks.

Unfortunately, IT staff may misidentify a slow website or down server as being from another cause rather than a denial-of-service attack. Cyber attackers can visit the dark web and find a service that will perform the attack for payment, giving almost anyone the capability to perform such an attack. Your institution likely has already been the victim of such anattack. Ask your technology team what defenses your institution has in place and for examples of how those defenses have been effective.

The United States is #1 – But not in a good way.

The United States remains the most frequent target of cyberespionage and cybercrime attacks. Out of a total of 120 attacked countries, the U.S. was the #1 attacked nation, followed by Ukraine and then Israel, according to a recent study from Microsoft. Financial services is one of the most frequently targeted sectors.

Are you on LinkedIn? Watch out for fake profiles.

Nation-state attackers and other attackers are becoming more sophisticated at creating fake LinkedIn profiles and using this method to contact executives, posing as people within the same industry as the victims they target. The fake profile is a form of social engineering to make the recipient of a connection request feel comfortable accepting a request with malicious links associated with the fake profile.

The FBI has previously warned about romance scams and fake investment opportunists from fake LinkedIn profiles as well.

Consider these three steps when deciding to accept a new LinkedIn connection:

• Profile. Are there inconsistencies in the education and work, timelines, inaccurate or suspicious information in the profile?
• Content. Is the person posting content, commenting, or liking others' content; do their messages sound like someone who would be contacting you?
• Network. Who are they connected with that you know and are also associated with? Is it reasonable that this person would be trying to connect with you? Have you previously met them in person, on a web conference, or a phone call? Check to see if there are other profiles for the same person on LinkedIn. More than one profile for the same person may indicate that one or more LinkedIn profiles may not be legitimate.

If you suspect a faked LinkedIn profile, you can report it here: Report fake profiles | LinkedIn Help

Clorox warns of increased costs – from a cyber-attack.

The Wall Street Journal reported that Clorox Company, makers of Clorox products, Glad Trash Bags, and more, was the victim of a cyberattack. The attack led to operations disruptions and product shortages on store shelves.

Clorox said the financial impact is a reduction in sales of between 23% and 28% for the quarter that ended Sept. 30. The company warned it will post a loss in the quarter instead of the nearly $150 million in profit that investors had expected, and is in the process of assessing the impact the attack will have on fiscal year 2024 and beyond. ⁵

Are you assessing commercial borrowers' cyber risk?

Bankers are familiar with assessing credit risk; however, cyber security risk creates potential risks with corporate borrowers that may not have been previously considered. Is your institution assessing cyber risk for commercial borrowers?

The Conference of State Bank Supervisors (CSBS) previously released (2020) a version of its ransomware self-assessment tool for non-bank entities. Similar to the version for financial institutions, you may find it helpful to provide commercial borrowers with this tool to perform a self-assessment. The non-bank self-assessment tool may be found at the bottom of this CSBS web page: https://www.csbs.org/ransomware-self-assessment-tool

--

^{[1] FACT SHEET: President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence | The White House}

^{[2] Biden directs federal agencies to consider new regulation of AI | ABA Banking Journal}

^{[3] Ransomware Self-Assessment Tool | CSBS}

^{[4] Israel Sees Cyber Incursions Across Digital Systems - WSJ}

^{[5] Clorox Warns of Accruing Costs From Cyberattack - WSJ}