Can your technology keep up?
There are more cyber security risks and competitive threats to traditional financial institutions than ever before. These increased risks are creating challenges for some institutions however they are also creating opportunities for others. Following is a review of the drivers of these risks and some thoughts on how to turn these risks into opportunities.
Your Institution Faces Rapidly Growing Cyber Security Risks
The Federal Reserve Bank of New York Staff Report states that financial services firms face up to 300 times the cybersecurity risks than other businesses.1
Between March and June 2020 ransomware and phishing attacks at banks increased by 520%.2
The OCC expects cyber threats to banks, customers and third parties to continue to increase for the foreseeable future.3
The FDIC and OCC released a joint statement in 2020 warning banks that “disruptive and destructive attacks against financial institutions have increased in frequency and severity”.4
Drivers of Increased Cybersecurity Risk
There are multiple reasons why cybersecurity risks are increasing:
- Increased frequency of attacks
- Well-funded & sophisticated adversaries
- Readily available online cyber-attack tools
- Substantial increases in remote work by employees
- Too few skilled cyber security people to meet the job demand
- Greater willingness by adversaries to use more destructive types of attacks
Do You Know How Many Vendors Your Vendor is Using?
A recent speech from a Federal Reserve official stated that many community banks lack the resources to exercise appropriate due diligence in their selection and oversight of selected vendors.
Part of the challenge is due to many vendors using multiple other vendors to provide services, each of which must be vetted by the institution. As a result, due diligence becomes more burdensome in correlation with the increased quantity of vendors.
Selecting the Correct Vendor Eases Due Diligence and Creates Better Outcomes
Here are four quick tips to look for when selecting a vendor to make due diligence easier and gain better outcomes:
- SOC audits of the actual vendor you are contracting with
- Owned infrastructure and facilities versus leased or outsourced
- Entirely US based staff with no off-shoring and no contract labor
- Designation as a Technology Service Provider (TSP) by the FFIEC with examinations from Federal banking regulators.
Over 18,000 Common Vulnerabilities and Exposures (CVEs) Identified in 2020
CVEs are vulnerabilities in software which, left unpatched, create opportunities for cyber attackers to attack the network. The National Institutes of Standards and Technology (NIST) reports that over 50% of 2020’s vulnerabilities were identified as “critical” or “high severity” – an all-time high. Additionally, many of these vulnerabilities require no user interaction to exploit.5
With thousands of critical vulnerabilities occurring every year, your institution has likely only heard about a few of the most publicized, but just as threatening, events.
Proven Processes Outperform Crisis Mode in Defending Against Cyber Threats
Given the volume of CVEs occurring each year, it's imperative that institutions have proven processes to address all vulnerabilities as they occur. Responding in a crisis manner is neither sustainable nor effective with the volume of events that are occurring.
Numerous audits and vulnerability assessments show that process defined cyber defenses consistently achieve better results across a wide range of financial institutions.
Processes Also Increase Speed in Defending Against Cyber Threats
Identifying a threat, analyzing a threat, determining which systems are impacted, ensuring mitigating defenses are performing as designed and, in worst-case scenarios, identifying and getting the malicious actors shut out as fast as possible. All these activities are performed much faster and more effectively with process defined cyber defenses.
The most advanced cyber defenses combine artificial intelligence (AI), machine learning, and experienced technical analysts into repeatable processes for defense of digital assets.
AI & Machine Learning Are Providing New Opportunities to Banks
AI and machine learning are also speeding up decision making and increasing efficiency with credit decisions, risk management and flagging suspicious transactions.6
Cyber Threats are Rarely Specific to One Institution
The Federal Reserve Bank of Boston’s Cyber Threat Sharing Forum notes that a malicious actor often uses the same tactics and techniques that they’ve used to attack one financial institution to attack others.7
A vendor with advanced cyber-defenses using AI and machine learning combined with human intelligence identifies these threats across multiple institutions in real-time. This allows for identification and analysis of threats and execution of a cyber response for quick action to defend financial institutions' networks against these attacks.
A Proposed New Rule Will Require Notice of Computer-Security Incidents
The OCC, Federal Reserve System and the FDIC published a Notice of Proposed Rulemaking (NPR) that would require an institution to provide its primary federal regulator with prompt notification of any "computer-security incident" that rises to the level of a "notification incident," with defined incidences ranging from downtime to ransomware.
The proposed rule would require banks to notify regulators no later than 36 hours after the bank believes that a "notification incident" has occurred. The rule would also require a bank service provider to notify at least two individuals at each affected institution within four hours upon the occurrence of a qualified event.8
OCC Interpretive Letters Regarding Digital Wallets & Payment Related Activities
The OCC has released interpretive letters regarding the authority of national banks to provide cryptocurrency custody services for customers and the permissibility of new payment technologies such as stable coin.
The OCC letter related digital wallets9 to traditional safekeeping activities and reaffirms that national banks may engage in any lawful business they choose, including cryptocurrency businesses, so long as they effectively manage the risks and comply with applicable law.10
Increased Use of Technology Requires Increased Security & Controls
Any increased activity by banks relating to new technologies should be risk assessed to ensure the institution has effective information security infrastructure and controls in place to mitigate hacking, theft and fraud.
87% of Central Banks are Exploring the Use of Digital Currency
Most nations’ central banks are exploring the use of digital currency. It’s a trade off between convenience and privacy. Digital currency can be tracked everywhere it is used and be set to expire or invalidated. Digital Currency is less about money and more about data, with the potential for creating disruption in existing payment systems.
FRB Won’t Issue a Digital Currency Without Congressional Approval
Both Federal Reserve Chairman Powell and Treasury Secretary Yellen have stated the issue of the US offering a digital currency is being studied. Powell said issuing a digital dollar would need buy-in from Congress, the administration and the public.11
China Creates its Own Digital Currency
China is the first major economy to create a digital currency. The Wall Street Journal discusses the impact of this move. Watch the video to see digital currency in action: China's New Digital Currency Is Easy to Use but You'll Be Watched (wsj.com). Read the article to learn more about the risks of government tracking every transaction, including foreign companies in China here.
I Have Piles of Cash at Home
"I have piles of cash at home, the government is paying me cash for my salary because I don't have a bank account.” After being added to the U.S. Treasury’s OFAC sanctions list in August, Hong Kong Chief Executive Carrie Lam says she can’t get a bank account in her own city. Read more in this article here.
Are You Feeling Lucky?
Rapidly advancing new technologies, increased cyber security threats and greater regulatory focus. Technology that is a source of strategic strength has nothing to do with luck. It’s the result of planning, processes and having the right people. BankOnIT’s systems and people provide thousands of bankers greater confidence and more time to be bankers everyday.
Are you a bank director with questions about IT compliance that you would like to ask in a confidential manner? Send us a secure note under the Contact section at www.BankOnITUSA.com.
If you’d like to receive the Information Technology for Directors publication directly in your email inbox, please email us at Guidance@BankOnITUSA.com.
1Federal Reserve Bank of New York Staff Reports - Cyber Risk and the US Financial System June 2020 revision
2American Banker October 6, 2020
3OCC, Semiannual Risk Perspective, (Spring 2020) Semiannual Risk Perspective
4FDIC and OCC, Joint Statement on Heightened Cybersecurity Risk
8Federal Reserve Bank of Boston, Cyber-threat Sharing Forum Fosters Open Dialogue, Non-competitive Environment, Financial Services Organizations Share Information to Thwart Cybercrime
10Office of the Comptroller of the Currency - Interpretive Letter #1174, OCC Chief Counsel’s Interpretation on National Bank and Federal Savings Association Authority to Use Independent Node Verification Networks and Stablecoins for Payment Activities