Cyberattacks are becoming ever more frequent and are targeting an ever growing number of institutions. Though banks have long been in the forefront of cybersecurity preparation, they continue to be top targets of cyber criminals. This can be a particular risk for community banks who may not perceive themselves as targets on the same scale as global banks. However, the reality is that community banks also need to prioritize cybersecurity because data breaches can have significant impacts not only on their own solvency, but also on confidence in the larger financial system.
Cyberattacks take many forms. Some hackers are attempting to directly steal money from a bank or its account holders. Other attackers may be seeking information about individuals that can be used to commit fraud, even if they cannot directly access that person’s bank accounts. An increasingly popular type of attack is a ransomware attack, which doesn’t typically steal any data at all, but instead encrypts the data and locks a target’s computer system until the target is willing to pay a ransom to the hackers, typically in the form of cryptocurrency.
In addition to these relatively new risks, the internet has made it far easier to commit older versions of fraud. Community banks must be wary of old fashioned fraud that is Internet-enabled, such as being spoofed by wire transfer requests or attacked by ransomware, which can shut down operations. Community banks are particularly vulnerable to these types of attacks because of their emphasis on individual customer service, which may conflict with types of security steps necessary to avoid these kinds of schemes. In other words, community banks must not let this customer-friendly attitude blind them to the importance of appropriate internal controls to avoid falling victim to fraud.
It is important to point out that community banks are not the only banks at risk from cyberattack and are better prepared for cyberattacks than most other types of businesses. Federal agencies regularly evaluate all banks, including community banks, with a cybersecurity assessment tool as part of their IT examination programs. A similar level of oversight is applied to banks’ core processors.
Preventative Steps that Community Banks Can Take Against Cyber Attacks
Your preparation for a cyberattack should be modeled after how you plan for a natural disaster. As with natural disasters, cyberattacks cannot always be prevented. Thus, all companies need to plan for how they will respond to a breach and must regularly test that plan through realistic simulations. Do not overlook the basics, such as patch management of known vulnerabilities.
It is important to encourage an employee culture of cyber awareness – cybersecurity is not a problem that can be solved through technical measures alone; it requires all employees to be educated, vigilant, and prepared.
Finally, to safeguard against ransomware and other threats to business resumption, keep back-up files to that you will not become hostage to demands. Banks also may participate in industry sponsored programs such as Sheltered Harbor.
How Community Banks Should Respond to a Cyberattack
Business resumption and recovery requirements are the first priority, meaning that a cyberattack must be investigated and responded to as soon as it is discovered. Banks should also promptly share information about the nature of a cyberattack with the industry and regulators through communication channels like FS-ISAC.
Once a breach is confirmed, communicating with your business and retail customers becomes paramount. If data containing Personal Identifiable Information (PII) has been improperly accessed, federal and state breach notification requirements may be triggered. Public announcements about breaches can be a minefield. You need to be able to describe for customers what happened, how you are going to fix it, and what affected consumers can do, which can be challenging before you have completed the investigation. On the other hand, you don’t want to wait so long to notify customers that you are perceived to be evading responsibility. It is important to prepare for such contingencies now and to think through how your statements will be perceived.
Finally, equip your customer-facing representatives with talking points so that they can relay accurate information and provide answers to concerned consumers.