← Return to Blog

14 Oct, 2020

Information Technology for Directors Q4 2020

Cloud delivering faster changes, improved cost-control.

Cloud computing delivered when banks needed to quickly move to Work From Home (WFH) and make rapid changes to meet both employee and customer needs.

Research cited in a recent Forbes article shows that banks leading the way in the cloud are growing revenue at twice the pace of banks that are slower to adopt cloud strategies.

Cutting time-to-market in half for new products and accelerating provisioning speed by up to 50 percent were also credited as revenue-drivers. Other contributing factors were greater agility and enhanced customer experience, along with better support for compliance and innovation.

Considering Cost Cuts? So Are Your Regulators, But Not in a Way You Might Think

Recent regulatory guidance issued by all of the federal bank regulatory agencies confirms that regulators will be focusing on cybersecurity, pandemic planning and vendor management – all with a focus on assessing an institution’s ability to continue delivering financial services to customers, and what impact costs cuts will have on operational and cybersecurity risks.

“Examiners will consider the impacts from instances of imprudent cost cutting, insufficient staffing, or delays in implementing needed updates in their assessment of the institution” from the multi-agency release guidance found here.

Ransomware Skyrocketing in 2020

“The trend has been going up for a while, but in 2020 it has just been skyrocketing,” said Dmitri Alperovitch, chairman of nonprofit cybersecurity think-tank Silverado Policy Accelerator about ransomware events in a recent Wall Street Journal article.

Newest Ransomware Threat: Bank Secrecy Act (BSA) Compliance Violations

The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Assets Control (OFAC) agencies simultaneously released advisories warning of Bank Secrecy Act violations and OFAC sanctions risks associated with ransomware payments related to malicious cyber-attacks.

Demand for ransomware payments has increased during the COVID-19 pandemic as cyber-threat actors successfully target more networks than in the past. The increased prevalence of ransomware attacks has led to the creation of companies that provide remediation services to victims of ransomware attacks, many times facilitating a ransomware payment on behalf of the victim. These entities (digital forensics and incident response [DFIR] companies, cyber insurance companies [CICs] and audit and accounting firms that specialize in cyber-threat remediation) may not be aware of the potential BSA, OFAC and FinCEN violations they are creating.

To Pay Or Not To Pay. While some large consulting firms have recommended payment of ransoms, the FBI has for years recommended against paying. Paying emboldens cyber attackers and marks you as a target for future extortion (you are identified as someone who has the ability and willingness to pay). The FinCEN and OFAC advisories give more good reasons not to pay.

The Risk Is With Every Customer You Have. Beyond an individual financial institution paying a ransomware demand on their own behalf, institutions also have risks if their customers have a ransomware event and use the institution as a conduit to pay the ransomware demand. For example, BSA / AML (Anti-Money Laundering) risk is created when a customer uses an account to pay a third-party remediation firm who pays the ransom for them or uses an account at the institution to purchase cryptocurrency through a cryptocurrency exchange for transmission to a cyber-threat actor. FI’s also have risks if they are banking entities that assist with making ransomware payments. The FinCEN advisory has identified financial red flag indicators of ransomware-related activity to assist in detecting, preventing, and reporting suspicious transactions associated with ransomware attacks. Click for the FinCEN or OFAC advisories.

Treasury Department's Cybersecurity: More Attention Needed, GAO Says

The U.S. Treasury Department needs to up its game when it comes to tracking, prioritizing and measuring the effectiveness of the financial sector’s cyber-risk mitigation efforts. That’s the recommendation the U.S. Government Accountability Office published in September after a review of the Treasury Department’s key role in supporting many of the efforts to enhance the financial-sector’s cybersecurity and resiliency. Unless more widespread and detailed tracking and prioritization efforts occurs, the sector could be insufficiently prepared to deal with cyber-related risks.

FBI Ties Recent Bank Hacks to "Credential-Stuffing"

The FBI in September issued an alert about the rising number of credential-stuffing attacks targeting financial institutions.

Credential-stuffing is an automated attack where hackers take collections of usernames and passwords that leaked online via data breaches at other companies and try them against accounts at other online services. When they hit a match, the attackers masquerade as legitimate account holders and bank employees to submit fraudulent transactions.

Prevention Suggestions: Use unique passwords for each account. According to a 2020 survey conducted by a data-analytics firm, nearly 60 percent of respondents reported using one or more passwords across multiple accounts. Use of multi-factor identification can also mitigate this type of attack, use of which is strongly encouraged.

Embed Digital in the Business Strategy

A recent study by Deloitte and WSJ Intelligence that engaged 100 CEOs and 400 tech leaders across 22 industries and 19 countries shows the attitudes of CEOs and tech leaders are remarkably in sync about the importance of technology to enable business strategy.

In fact, the research shows that high-performing CEOs are 2.5 times more likely to make technology a top focus to advance organizational goals.

But there are challenges in the process. Among obstacles in leveraging technology to drive business value and impact are legacy environments and insufficient talent, the study found.

Tech Budgeting for the Big Picture

As temperatures cool and pumpkin-spice-everything returns, it’s time for budgeting for the new year.

A good place to start is understanding how existing technology investments in applications, infrastructure and technical staffing support the institution’s strategic objectives for:

  • Business scalability (growth and retrenchment);
  • Capacity to drive innovation and support opportunistic growth;
  • Regulatory compliance;
  • Information security; and
  • Shareholder value.

Is technology a source of strength or a weakness in your institution? Which areas need improvement? And, how will changes in technology help drive the strategic initiatives your institution has set to achieve?

Who's Your Vendor's Vendor's Vendor?

Regulators have encouraged outsourcing as a way of gaining capabilities and that would be difficult to otherwise obtain, the key is choosing the right vendor. Here are three items to consider:

  1. Choose a vendor that has limited or no outsourcing to others. Many vendors outsource critical functions to other vendors, which, in turn, also outsource key activities on which the bank relies.
  2. Use a vendor that has its own SOC 2 Type II Audit performed, rather than relying on the SOC audit provided to you by the one of your vendor’s other vendors.
  3. Use a firm that receives an FFIEC Technology Service Provider exam. It shows they are doing business with a substantial number of banks and that there are certain controls in place to satisfy regulators.

M&A Due-Diligence Should Include Cybersecurity Risks

Whether your bank has plans to acquire or to divest, having a cybersecurity risk-mitigation strategy now can prepare you for a smooth transaction with the highest value.

High-profile cybersecurity issues have popped up on the mega-merger landscape over the last decade – with consequences of lost deal value, stalled transactions and impaired reputational capital.

A recent poll of IT professionals showed that 65 percent of respondents expressed buyer’s remorse due to cybersecurity issues. Just over a third said they had adequate time to evaluate cybersecurity threats prior to an M&A closing transaction.

Survey Says: Bank Boards Talking Tech

Technology is on the agenda at most every board meeting, particularly for companies with assets under $500 million. That’s one of the findings in Bank Director’s 2020 Tech Survey.

The topic of board focus when tech is on the table is cybersecurity. Among banks of all sizes, 91 percent reported that cybersecurity was on the agenda. That is far and away above the next most common topic – staying on top of tech trends – which garnered board attention less than half of the time during technology discussions.

Banks Launch Anti-Phishing Campaign Aimed at Consumers -- #BanksNeverAskThat

The American Bankers Association launched a playful public-service campaign designed to better educate consumers about fishy phishing schemes. The campaign, #BanksNeverAskThat, coincides with National Cybersecurity Awareness Month in October.

The designed-to-be-shared campaign – a website, videos, an online quiz and social-media push -- uses attention-grabbing humor and other engaging content to empower consumers to identify bogus bank communications asking for sensitive information like passwords and Social Security numbers.

One head-tilting fact from the campaign: Millennials are duped by these schemes more often than their elders.

The Federal Trade Commission estimates that consumers lost $1.9 billion to phishing schemes in 2019, and the ongoing pandemic has only increased the threat.

The Final Word

“Far too often we speak of technology as an operational risk. But technology is also an operational enabler – providing capacity, redundancy and access. We must foster innovation and embrace technological innovation by managing associated risks, not running from them. Our banks, businesses, and consumers will be the beneficiaries.” – Jelena McWilliams, Chairman FDIC

Full text of McWilliams’ Oct. 8, 2020, speech

Are you a bank director with questions about IT compliance that you would like to ask in a confidential manner? Send us a secure note under the Contact section at www.bankonitusa.com.

If you’d like to receive the Information Technology for Directors publication directly in your email inbox, please email us at Guidance@BankOnITUSA.com.

← Return to Blog


This publication attempts to provide timely and accurate information concerning the subjects discussed. It is furnished with the understanding that it does not provide legal or other professional services. If legal or other expert assistance is required, the services of a qualified professional should be obtained.

Related Posts

Information Technology for Banking Leaders Q3 2023

Technology Travels Summer is here with its beautiful weather, fun family vacations, and a heightened risk of digital sca...

Read more

Information Technology for Banking Leaders Q2 2023

As CEO, what should I be looking for with my IT staffing? Experienced bank CEOs are comfortable with hiring lenders beca...

Read more

Information Technology for Banking Leaders Q1 2023

Providing leaders the information they need as their institutions do MORE People Continue to be the Most Important IT Re...

Read more