How Community Banks Can Overcome Cybersecurity Paralysis

Cyberattacks are becoming ever more frequent and are targeting an ever growing number of institutions. Though banks have long been in the forefront of cybersecurity preparation, they continue to be top targets of cyber criminals. This can be a particular risk for community banks who may not perceive themselves as targets on the same scale as global banks. However, the reality is that community banks also need to prioritize cybersecurity because data breaches can have significant impacts not only on their own solvency, but also on confidence in the larger financial system.

Cyberattacks take many forms. Some hackers are attempting to directly steal money from a bank or its account holders. Other attackers may be seeking information about individuals that can be used to commit fraud, even if they cannot directly access that person’s bank accounts. An increasingly popular type of attack is a ransomware attack, which doesn’t typically steal any data at all, but instead encrypts the data and locks a target’s computer system until the target is willing to pay a ransom to the hackers, typically in the form of cryptocurrency.

In addition to these relatively new risks, the internet has made it far easier to commit older versions of fraud. Community banks must be wary of old fashioned fraud that is Internet-enabled, such as being spoofed by wire transfer requests or attacked by ransomware, which can shut down operations. Community banks are particularly vulnerable to these types of attacks because of their emphasis on individual customer service, which may conflict with types of security steps necessary to avoid these kinds of schemes. In other words, community banks must not let this customer-friendly attitude blind them to the importance of appropriate internal controls to avoid falling victim to fraud.

It is important to point out that community banks are not the only banks at risk from cyberattack and are better prepared for cyberattacks than most other types of businesses. Federal agencies regularly evaluate all banks, including community banks, with a cybersecurity assessment tool as part of their IT examination programs. A similar level of oversight is applied to banks’ core processors.

Preventative Steps that Community Banks Can Take Against Cyber Attacks

Your preparation for a cyberattack should be modeled after how you plan for a natural disaster. As with natural disasters, cyberattacks cannot always be prevented. Thus, all companies need to plan for how they will respond to a breach and must regularly test that plan through realistic simulations. Do not overlook the basics, such as patch management of known vulnerabilities.

It is important to encourage an employee culture of cyber awareness – cybersecurity is not a problem that can be solved through technical measures alone; it requires all employees to be educated, vigilant, and prepared.

Finally, to safeguard against ransomware and other threats to business resumption, keep back-up files to that you will not become hostage to demands. Banks also may participate in industry sponsored programs such as Sheltered Harbor.

How Community Banks Should Respond to a Cyberattack

Business resumption and recovery requirements are the first priority, meaning that a cyberattack must be investigated and responded to as soon as it is discovered. Banks should also promptly share information about the nature of a cyberattack with the industry and regulators through communication channels like FS-ISAC.

Once a breach is confirmed, communicating with your business and retail customers becomes paramount. If data containing Personal Identifiable Information (PII) has been improperly accessed, federal and state breach notification requirements may be triggered. Public announcements about breaches can be a minefield. You need to be able to describe for customers what happened, how you are going to fix it, and what affected consumers can do, which can be challenging before you have completed the investigation. On the other hand, you don’t want to wait so long to notify customers that you are perceived to be evading responsibility. It is important to prepare for such contingencies now and to think through how your statements will be perceived.

Finally, equip your customer-facing representatives with talking points so that they can relay accurate information and provide answers to concerned consumers.

Seth P. Berman is a partner and leads Nutter’s Privacy and Data Security practice group. He advises clients on the legal, technical and strategic aspects of data privacy and cybersecurity risk, and to prepare for and respond to data breaches, hacking and other cyberattacks. He can be reached at 617.439.2338 or sberman@nutter.com.

Thomas J. Curry is a partner in Nutter’s Corporate and Transactions Department and a co-leader of the Banking and Financial Services group. Previously, he served as the U.S. Comptroller of the Currency until May 2017. He can be reached at 617.439.2087 or tcurry@nutter.com.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.

How Community Banks Can Overcome Cybersecurity Paralysis

Blog Topics

Security Blog

On the Track of OSAC

Blog Roll

Security Industry Association

Security Magazine's Daily News

SIA FREE Email News

SDM Blog

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

How Community Banks Can Overcome Cybersecurity Paralysis

Share This Story

Blog Topics

Blog Roll

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.