The threat of a cybersecurity attack has long hovered over the heads of bankers, but that risk spiked late last year with conflict and heightened tensions between the United States and Iran. That follows an overall trend over the past few years of increasing and more sophisticated attacks focused on the financial services industry.
Whether it’s a data breach that exposes private information about your customers to the public, an attack that locks up your servers, or even a full-fledged strike that wipes clean all of your data, bankers need to defend against a range of threats. As the number of devices on which customers expect instant access to their data proliferates, the number of opportunities for bad things to happen notches upward.
Some say it’s just a matter of when.
“We know that nation states have the ability to break through the controls and protections we have in place at any institution if they really wanted to,” said Trey Maust, a banker and founding board member of Sheltered Harbor, a broad-based industry initiative working to protect bank data. “They have not acted on that within the financial sector because of the fear of mutual destruction.”
But what happens if those tools were to fall into the hands of terrorist groups or other bad actors? The hack of Sony Pictures, where data was erased and bundles of confidential and compromising emails were publicly released, offers a prime example.
“If that were to happen at a major financial institution or a series of smaller ones or even a local institution, the cascading impact could severely erode public confidence,” Maust said.
Crises such as the coronavirus pandemic add a new battle to this multi-front war between bankers and bad actors. Some experts say that the U.S. financial industry has better fortifications than most other parts of our economy to repel an attack. And even if a major cyberattack were to hit a U.S. financial institution, the industry has measures in place and robust initiatives underway to ably recover. It’s difficult to even know the scale of the problem, and just how many cyberattacks have been successful, since institutions keep that information quiet.
Too small to fight?
Rather than falling below the radar of hackers and large-scale criminal enterprises, community banks might seem to be an easy target compared to larger competitors. “A cyberattack can be devastating to a bank not only financially but reputationally as well,” said Brad Lane, president and CEO of Security Savings Bank in Gowrie, Iowa.
One banker surmised that community banks that are victims of a cyberattack unfortunately (and perhaps unfairly) suffer stigma, even if the bank was doing everything right.
For Lane’s bank, prevention has been key — a sentiment echoed by many of his peers in the industry. The bank stresses exercising an abundance of caution when opening email attachments and clicking on links. “Training is huge, and I really think the No. 1 way that a lot of people gain access to your system is through your employees,” he said.
The coronavirus pandemic potentially represents another opening for cyber thieves. “It might be an opportune time for these criminals to reach out and try to attack the system because we are maybe looking the other direction a little bit,” Lane said. And the effort isn’t limited to the IT department. It’s up to everybody in the organization to protect systems, he said.
When Lane started in the industry 26 years ago, a cyberattack required a perpetrator to enter the bank. “Now we’re worried about these individuals in other countries coming in and getting access to our systems,” he said. “And they can do that at any time. They’re looking for the low-hanging fruit. We want to make sure we have our systems in place so we aren’t low-hanging fruit.”
A near miss
Imagine getting a call from your IT chief saying it appears your institution’s data may have been breached. Your bank’s alert system already kicked in, calling and sending overnight emails to customers alerting them that their accounts had been compromised. The minute the bank opens the next day, worried customers call and stream into your branches.
This exact scenario happened to a client of Kris St. Martin, vice president at CBIZ, a commercial insurance provider for the banking industry. Fortunately for his client, the breach turned out to be a false alarm, a glitch in new software. But it was a harrowing three-day period for staff before they were certain nothing happened. And, it cost the bank $175,000.
“A whole series of ‘worst things that could happen,’ ” is how St. Martin, a former banker himself, described it.
CBIZ receives three to four calls per month from clients about possible cyber intrusions, about half of which turn into claims. Nationally, cybercrimes resulted in more than $3 billion in losses in 2019. “The amount of losses in cyber compared to old-fashioned robbery … it just dwarfs it,” St. Martin said.
Banks are unfortunately and understandably a favorite target of bad actors. Financial service firms may experience up to 300 times more cyberattacks per year than other industries, the Boston Consulting Group report found.
A study by Positive Technologies said malware and social engineering — deceiving an insider to gain access or critical information — is by far the most popular cyber-warfare technique.
In March, core provider Finastra was hit with a malware attack. Finastra said the hackers were unsuccessful in reaching customer and employee data.
Major data breaches at CapitalOne, Home Depot, Target and Equifax show that large organizations are vulnerable too. It’s hard to gauge how prevalent attacks are, said Allen Eaves, director of information security and compliance services at Jack Henry & Associates. “It’s tough to put our arms around how big the problems are because most organizations don’t want to talk about it after they’ve been breached,” Eaves said.
If an organization can keep news of a data breach quiet, most will. “What has to be disclosed and how it’s disclosed and who it gets disclosed to — not all of that is a clear pane of glass,” Eaves said.
What happens if data is wiped from a bank’s servers? That’s the question that has always nagged at Maust. A co-founder of Lewis & Clark Bank in Portland, Ore., Maust was part of a group that came together following the U.S. Treasury’s Hamilton Series of exercises, which simulated a range of cyberattacks on the U.S. financial system. In late 2015, 34 firms, trade associations and organizations from across the industry decided to devise a data recovery standard that was accessible to banks and brokerages of every size.
The result was Sheltered Harbor, a not-for-profit that offers specifications, guides and resources, and certification to institutions to ensure their data remains intact after a cyberattack renders traditional disaster recovery and business continuity plans ineffective.
“We need to make sure that under any circumstance we have an uncorrupted data set of critical information for each firm so that in the event there is a destructive cyberattack, that information is preserved and it can be brought back to life,” said Maust, who is former CEO of Sheltered Harbor.
Sheltered Harbor was cited as an industry standard by the FDIC and the Office of the Comptroller of the Currency earlier this year, and it has broad buy-in. Financial institutions taking part collectively hold 72 percent of the nation’s deposit accounts, 71 percent of the nation’s retail brokerage client assets and 41 percent of the nation’s assets under management. Maust said 14 core processors are also behind the effort.
A key component of the certification is data vaulting and having an “air gap” between the data vaults and connection to the outside world. It requires a physical process to bring the vaults online. Each day’s data is backed up and stored offline.
“The requirement is that the medium you use has to be immutable,” Maust said. “Once it’s written on, you can’t write over it. You can’t corrupt it.”
Maust said Sheltered Harbor isn’t intended to replace institutions’ disaster recovery and business continuity plans. “This is a lifeline to make sure the institution, the bank, the customers’ and public confidence can continue,” he said.
Just as machine learning is finding its way into our everyday lives, so has it made its way into cyber criminals’ arsenals. Think of computers attacking and working to outwit your bank’s network the way Boston Dynamics robots learn to tackle obstacle courses in online videos. Combine that with the ongoing communication between the criminals, and it creates a highly efficient operation.
“Once they’ve created something, they have a way to proliferate the malicious code and malicious attacks through automated channels, through botnets, through insiders,” said Nayan Patel, cybersecurity practice leader for Global Services at Fiserv. “You can have a million variants of an attack a day.”
As bizarre as it may sound, that helps their bottom line, and these enterprises have the same approach as any business. They measure return on investment just like you.
The attackers are also targeting community banks more than they did a decade ago, Patel said, in search of those that require the least amount of effort — better ROI. “That has been increasing linearly the last three or four years, and has certainly increased from 2018 into 2019,” Patel said. “We expect the same in 2020.”
When we are creating as many as a quintillion bytes of data daily, the challenge to stop evil actors is daunting, Patel notes. “To react to all of that data all the time has become almost impossible, especially to do it by yourself,” Patel said. “The ability for criminals to get in has expanded. Part of our job is to shrink that, by creating obstacles.”
Core as a defense
Community banks utilize their core providers as their primary line of defense against cyberattacks, giving them stouter protection than most could mount on their own.
“JPMorgan Chase is huge, has its own information security department and in-house systems and is very sophisticated,” said Kent Belasco, director of the commercial banking program at Marquette University and a former chief information officer at a regional bank. “But a very small community bank, processed by FIS, Jack Henry, Fiserv, their systems are comparable to the big banks, so everybody’s pretty much on par these days, technically.”
At some level, Belasco said, part of the burden for cyber defense falls to community banks. And lacking some of the resources bigger banks might give them greater exposure, but the point may be moot. “The reality is for community banks, large banks, any size banks, is if the hackers want to get in or they target you, they will get in,” Belasco said. “It’s not a matter of if, it’s a matter of if they think you are worthwhile enough.”
On the front lines at core provider Jack Henry & Associates, security experts closely monitor the traffic passing through its firewalls.
“It spits out notices saying, ‘we blocked this traffic, we blocked that traffic,’” said Eaves of Jack Henry. “That certainly is important. What’s more interesting is not what the device stops but what was allowed through. That’s what I really want to know more about and understand at a more intimate level.”
A team reverse engineers or observes malicious code in controlled lab environments or a “sandbox” to study how the code behaves and communicates. It feeds that info into Jack Henry’s threat models so it can spot and stop the traffic next time. It also shares the data with industry security consortiums.
“It’s really tough in most situations to come from the outside and brute force your way in,” Eaves said. “Most of the times where you’re seeing breaches take place had some element of somebody helping from the inside, in many cases, unwittingly.”
Entry is gained by impersonating someone or concocting a plausible enough story that a bank staffer lets down the defenses. That’s the social engineering that’s among bankers’ biggest worries.
Bankers are so customer-service focused, so willing to go above-and-beyond, Eaves said, and that only plays into the hands of the malicious actor. “The damage can be very, very significant.”
St. Martin said bad actors have gotten much better at recreating something that looks like a customer’s email or an internal email request, both in terms of graphics and language. Once they gain entry, they will quietly observe email traffic, looking for an opportunity to pounce, such as when a CEO or someone in leadership goes on vacation. Then the bad actors will step in and email a staffer from the CEO’s email account telling them to pay a vendor but use a different account number or to transfer funds to an offsite account.
St. Martin said that among the threats they face, data breaches are a bigger concern among most bankers than losing data, which can often be recovered by using backups. The release of personal information of longtime customers, maybe prominent community members, including tax statements or business plans, could result in lawsuits on top of crippling financial and reputational damage.
COVID-19 adds complexities
As Americans have sheltered in place, they’ve grown increasingly reliant on digital banking. Fiserv said it has seen a 30- to 50-fold increase in the number of phishing sites under the name of organizations such as the World Health Organization and the Centers for Disease Control for “folks looking for information on the coronavirus,” said Patel.
“Everyone’s at home, yet they still have to do their day-to-day financial transactions,” said Tim Bedard, director of security product marketing at cybersecurity technology company OneSpan.
A recent OneSpan survey of financial institutions revealed 44 percent of respondents said their digital account opening process was “somewhat secure” and 5 percent said their process was “not secure.” The current pandemic only exacerbates the urgency to address those shortcomings, as consumers want or even need to do their banking online.
“The bankers that say they aren’t secure, they’re scrambling,” Bedard said. “The ones that say they’re doing an okay job, they’re scrambling too.”
Any time there is a crisis, criminals try to take advantage, said Steven Estep, director of operational risk at the Independent Community Bankers of America. “Strong cyber and data security efforts are always critical, but at times like this, it is critical for people to remain vigilant.”
It’s not all doom and gloom. Despite the ever-evolving threat landscape and the sheer volume of attacks targeted at them, banks are more fortified against an attack than most other industries, Eaves said.
While financial institutions are very much on the frontlines against varying attacks, Eaves said, they are “overwhelmingly in better shape than other organizations that don’t have the regulatory expectations, and don’t have thought-out cybersecurity protections and controls that most financial institutions have to have in order to simply do business today.”