Editor’s note: This column was included in the Oct. 31 version of The Pulse, a weekly BankBeat newsletter sent to subscribers.
It’s Spooky Season, and there’s plenty to fear these days (next week’s election notwithstanding). Fraud is on the rise and we’re all vulnerable.
The statistics for individual fraud are staggering. According to the FBI’s 2023 Internet Crime Report, 880,418 complaints of cyber-crime were reported to the FBI by the public, a 10 percent increase from 2022.
In 2023, there were more than 3,200 data compromises, up from 1,801 the year prior, according to the Identity Theft Resource Center. A study conducted by the Federal Reserve Bank of Boston indicates that check fraud in 2023 was $20 billion, up from $100 million in 2006.
This year, the greatest headline-generating breaches occurred outside of banking, yet they could very well have impacted your bank operations.
Integris, an IT service provider that serves the financial industry, has released a study, which offers a glimpse into what bankers are focusing on with regard to technology. Cybersecurity continues to be a top concern for bankers, just as it was in 2023, with a near unanimous number of bank executives saying “fear of a cyber breach” was among their top three drivers of current IT spending.
Bankers believe they need to invest more to keep up, but they are unsure about how, exactly, they should be allocating resources. This is worrying.
Earlier this month, I sat in on a cybersecurity-focused learning session at the Bank Holding Company Association’s Fall Seminar, which was led by Kris St. Martin of CBIZ and Carolyn Purwin Ryan with the law firm Mullen Coughlin. Compared to other business sectors, St. Martin said, banking has been a leader in cyber fraud prevention. IT investments aside, St. Martin said bankers could also increase training for staff and for customers. “The more I think you educate your customers on all of this, it’s going to create goodwill,” he said.
Bankers also need to assess how their vendors create vulnerabilities, especially when a vendor has access to a bank’s data (think core provider). Before a vendor breach occurs, find out what the vendors’ obligations to the bank are, Purwin Ryan said. “They might limit their obligation to simply notifying banks which customers are affected, placing the onus to notify on the bank.”
So look at those vendor contracts with an eye to the vendors’ limitations. Most contracts, Purwin Ryan said, are written to benefit the software companies. “It is important to determine who is the data owner … because that ultimately decides who is going to be going through the notification process.” She also suggested a timeframe for notifications be laid out in the contract, and to be wary of language that limits vendor liability to what the bank is contracted to pay for a certain term. Example: If you are contracted to pay $50,000 in one year for a service, the ceiling for their liability might well be $50,000. “In a lot of these fraud cases,” St. Martin said, “that isn’t nearly enough, especially if the bank is later sued as a result of the breach.”