Information Technology for Banking Leaders Q3 2022

A Break in the Chain

Institutions Bridge Supply Chain Gaps in Order to Expand

Despite weak links continuing throughout the global supply chain, institutions are still actively expanding — and the key to every growth strategy is a sound technology foundation. A lack of readily available tech components can be a big hurdle in achieving your objectives. If you are planning to expand, be sure to ask your vendors what supply chain disruptions they are experiencing and how this impact the plans you have for your institution. (Pro Tip: Throughout your initiative planning, prioritize decisions that require hardware components to allow plenty of time for the unexpected.)

How Some Financial Institutions are Avoiding Supply Chain Distress

BankOnIT is helping clients improve their outcomes by preparing on behalf of our community. Read about one bank's experience here.

The Other Supply Chain Problem – The Talent Gap

Materials aren't the only thing in short supply. For example, 35 million people quit their jobs in 2021, and there's still a significant shortage of qualified applicants for open tech jobs. In addition, post-Covid, people are rethinking lifestyle decisions about what they want for their remaining work years. One executive commented that a technical employee of more than 20 years had recently given two weeks' notice — the long-time team member was going to work for a non-profit where they felt they could make a different kind of contribution.

You’re Competing Against Tech Firms for Talent

Financial institutions, and other non-technical firms, are also often struggling to compete for the same talent as the most innovative tech firms in the world.

• Law firms, CPA firms, and financial institutions have glass ceilings for tech staff. The top tech person at a law firm is unlikely to become a partner because they are not an attorney. Likewise, a CPA firm's technical staff are unlikely to partner because they are not CPAs. The same goes for banks and other financial institutions: The tech talent, vital as they are, don't tend to have the banking and lending experience required to rise to senior management.
• The best technologists tend to thrive when creating ground-breaking technology. Installing a new server or replacing a firewall every five years, with the intervening time filled with password resets and support calls, is a different kind of work. "Tech people want to work in the Cloud. As a bank, we are not cool enough for them …" one bank president recently commented.
• Community-based institutions don't have the option to move to markets where tech talent is more prevalent.

Under Attack

Increased Russian Cyber Attacks Against Ukraine's Allies

Russian intelligence agencies have increased cyberattacks against Ukraine's allies, according to a study published by Microsoft [i]. The report stated that 63% of the observed activity was directed against NATO members, with the US being the most frequently targeted nation at 12%.

Russian Cyber Influence & Disinformation

Russian operatives are also targeting three distinct populations with influence campaigns: 1. The Russian population to sustain the support of the war against Ukraine, 2. The Ukrainian population, to undermine the country's willingness and ability to sustain the war, and 3. American citizens and our allies, with the goal of undermining unity in support of the war while also deflecting criticism of possible Russian war crimes.

Sophisticated Attack Capabilities

Last year's SolarWinds incident demonstrated the sophistication of Russian intelligence agencies' offensive cyber capabilities. As written in last quarter's newsletter, Russia is one of the top four countries worldwide with the capabilities and willingness to use offensive cyber-attacks.

Cloud Cover: Onsite Systems at Increased Risk

The report also showed that some of the most vulnerable systems are government computer systems and those supporting critical infrastructure — specifically those that are locally hosted. As such, cloud-based, off-premise hosting is preferred to local onsite.

Regulatory Concern & Commentary

Federal Banking regulators have had more releases concerning the threat of cyber-attacks against financial institutions over the past 18 months than in any previous 18-month period. Read more here. The focus in 2022 is on operationalizing these releases, which means financial institutions should expect deeper questions and more scrutiny. Regulators have suggested that working collaboratively with others in the financial industry, as opposed to taking a siloed "own your own" approach, can help significantly reduce risk.

What Can My Institution Do to Reduce Cyber Risks?

Effective cyber security is best accomplished when the board and CEO are involved and establish that technology and technology risk management is an institution-wide priority. It is also imperative that cyber security is not viewed as an after-thought but instead is woven through the infrastructure and culture. Following are a few proven suggestions.

Multi-factor Authentication (MFA)

Regulators continue to emphasize the importance of MFA, a method to authenticate logins by adding another step beyond a username and password. Appropriate thought should be given to employee access (remote and at the office), customer access (online services), and vendors. (Remember to also ask your IT audit firm and other vendors about MFA and other controls and the oversight they are under.)

Collaborate to Expand Your Resources and Capabilities

There are several technical resources (some publicly available, some private such as FS-ISAC, and still others that require government security clearance) to which we subscribe to. Institutions should also consider resources such as industry-specific networking groups and vendors who focus on financial institutions and can use event correlation to benefit all client community members.

The IT Questions You Should be Asking

Your in-house technology leaders and the vendors you rely on should be able to answer board and executive officer questions in a way that is understandable, allowing decisions to be made that support the goals of the institution. Monitoring metrics (some examples are below) for trend analysis and asking questions about what is driving the results (positive as well as negative) will aid in getting the outcomes you want out of technology.

• Exams, Audits, and Vulnerability Tests – Are there an increasing number of findings, specifically critical findings on vulnerability assessments or formal regulatory actions?
• What downtime has your institution experienced? Is it trending up, down or stable?
• Is there an increase or decrease in the cost and/or time spent bringing projects to completion?
• Is there an increase or decrease in the amount of time it takes to resolve support calls from your team members?
• Are there metrics that aren't supported by common sense? For example, does your institution have twice the number of workstations as employees? Does the number of servers per employee seem reasonable? One server for every 10 employees may be reasonable at a 40-employee firm but may be out of line at one that employs 400.

----

Are you a board member or executive officer with questions about technology risks at your financial institution? Send us a secure note under the Contact Us section of bankonitusa.com.

[i] Defending Ukraine: Early Lessons from the Cyber War (microsoft.com)