There are more cyber security risks and competitive threats to traditional financial institutions than ever before. These increased risks are creating challenges for some institutions however they are also creating opportunities for others. Following is a review of the drivers of these risks and some thoughts on how to turn these risks into opportunities.
The Federal Reserve Bank of New York Staff Report states that financial services firms face up to 300 times the cybersecurity risks than other businesses.1
Between March and June 2020 ransomware and phishing attacks at banks increased by 520%.2
The OCC expects cyber threats to banks, customers and third parties to continue to increase for the foreseeable future.3
The FDIC and OCC released a joint statement in 2020 warning banks that “disruptive and destructive attacks against financial institutions have increased in frequency and severity”.4
There are multiple reasons why cybersecurity risks are increasing:
A recent speech from a Federal Reserve official stated that many community banks lack the resources to exercise appropriate due diligence in their selection and oversight of selected vendors.
Part of the challenge is due to many vendors using multiple other vendors to provide services, each of which must be vetted by the institution. As a result, due diligence becomes more burdensome in correlation with the increased quantity of vendors.
Here are four quick tips to look for when selecting a vendor to make due diligence easier and gain better outcomes:
CVEs are vulnerabilities in software which, left unpatched, create opportunities for cyber attackers to attack the network. The National Institutes of Standards and Technology (NIST) reports that over 50% of 2020’s vulnerabilities were identified as “critical” or “high severity” – an all-time high. Additionally, many of these vulnerabilities require no user interaction to exploit.5
With thousands of critical vulnerabilities occurring every year, your institution has likely only heard about a few of the most publicized, but just as threatening, events.
Given the volume of CVEs occurring each year, it's imperative that institutions have proven processes to address all vulnerabilities as they occur. Responding in a crisis manner is neither sustainable nor effective with the volume of events that are occurring.
Numerous audits and vulnerability assessments show that process defined cyber defenses consistently achieve better results across a wide range of financial institutions.
Identifying a threat, analyzing a threat, determining which systems are impacted, ensuring mitigating defenses are performing as designed and, in worst-case scenarios, identifying and getting the malicious actors shut out as fast as possible. All these activities are performed much faster and more effectively with process defined cyber defenses.
The most advanced cyber defenses combine artificial intelligence (AI), machine learning, and experienced technical analysts into repeatable processes for defense of digital assets.
AI and machine learning are also speeding up decision making and increasing efficiency with credit decisions, risk management and flagging suspicious transactions.6
The Federal Reserve Bank of Boston’s Cyber Threat Sharing Forum notes that a malicious actor often uses the same tactics and techniques that they’ve used to attack one financial institution to attack others.7
A vendor with advanced cyber-defenses using AI and machine learning combined with human intelligence identifies these threats across multiple institutions in real-time. This allows for identification and analysis of threats and execution of a cyber response for quick action to defend financial institutions' networks against these attacks.
The OCC, Federal Reserve System and the FDIC published a Notice of Proposed Rulemaking (NPR) that would require an institution to provide its primary federal regulator with prompt notification of any "computer-security incident" that rises to the level of a "notification incident," with defined incidences ranging from downtime to ransomware.
The proposed rule would require banks to notify regulators no later than 36 hours after the bank believes that a "notification incident" has occurred. The rule would also require a bank service provider to notify at least two individuals at each affected institution within four hours upon the occurrence of a qualified event.8
The OCC has released interpretive letters regarding the authority of national banks to provide cryptocurrency custody services for customers and the permissibility of new payment technologies such as stable coin.
The OCC letter related digital wallets9 to traditional safekeeping activities and reaffirms that national banks may engage in any lawful business they choose, including cryptocurrency businesses, so long as they effectively manage the risks and comply with applicable law.10
Any increased activity by banks relating to new technologies should be risk assessed to ensure the institution has effective information security infrastructure and controls in place to mitigate hacking, theft and fraud.
Most nations’ central banks are exploring the use of digital currency. It’s a trade off between convenience and privacy. Digital currency can be tracked everywhere it is used and be set to expire or invalidated. Digital Currency is less about money and more about data, with the potential for creating disruption in existing payment systems.
Both Federal Reserve Chairman Powell and Treasury Secretary Yellen have stated the issue of the US offering a digital currency is being studied. Powell said issuing a digital dollar would need buy-in from Congress, the administration and the public.11
China is the first major economy to create a digital currency. The Wall Street Journal discusses the impact of this move. Watch the video to see digital currency in action: China's New Digital Currency Is Easy to Use but You'll Be Watched (wsj.com). Read the article to learn more about the risks of government tracking every transaction, including foreign companies in China here.
"I have piles of cash at home, the government is paying me cash for my salary because I don't have a bank account.” After being added to the U.S. Treasury’s OFAC sanctions list in August, Hong Kong Chief Executive Carrie Lam says she can’t get a bank account in her own city. Read more in this article here.
Rapidly advancing new technologies, increased cyber security threats and greater regulatory focus. Technology that is a source of strategic strength has nothing to do with luck. It’s the result of planning, processes and having the right people. BankOnIT’s systems and people provide thousands of bankers greater confidence and more time to be bankers everyday.
Are you a bank director with questions about IT compliance that you would like to ask in a confidential manner? Send us a secure note under the Contact section at www.BankOnITUSA.com.
If you’d like to receive the Information Technology for Directors publication directly in your email inbox, please email us at Guidance@BankOnITUSA.com.
----
SOURCE
1Federal Reserve Bank of New York Staff Reports - Cyber Risk and the US Financial System June 2020 revision
2American Banker October 6, 2020
3OCC, Semiannual Risk Perspective, (Spring 2020) Semiannual Risk Perspective
4FDIC and OCC, Joint Statement on Heightened Cybersecurity Risk
5Redscan – NIST security vulnerability trends in 2020: an analysis
8Federal Reserve Bank of Boston, Cyber-threat Sharing Forum Fosters Open Dialogue, Non-competitive Environment, Financial Services Organizations Share Information to Thwart Cybercrime