Ask bank executives about their biggest challenge, and they'll probably tell you it's mitigating and managing cybersecurity threats.
Nonstop innovation is shaking up the financial services sector, ushering in new ways of storing information and connecting with consumers. With that progress come uncertainties and risks that banks and other financial institutions must be able to evaluate and handle.
"The landscape is constantly changing," said Marcel Cottman, a manager of examinations focused on business technology risk in the Supervision, Regulation, and Credit Division at the Atlanta Fed. "There are a lot of unknowns, a lot of new technologies, and a lot of new players in the financial space, so it's a lot to manage depending on the level of sophistication of the financial institution," he said.
Risk management, IT infrastructure face scrutiny
Cottman supervises a team of examiners who look at banks' management of information technology hazards and vulnerabilities involving the systems that enable fundamental operations such as account setups, payments, and mortgage applications. The examiners assess elements of the banks' risk management activities, including the analysis and evaluation of operational and technology risk management, systems of internal controls, the quality of the internal and external audit functions, the technology development and acquisition processes, technology support and delivery capabilities (including information security and business continuity programs), and payments.
Examiners scrutinize these areas to ensure that financial institutions have proper internal and external controls in place to thwart attempts to steal data and commit fraud. Banks recognize that cybersecurity is one of their biggest risks, given the reputational and financial damage a cyberattack can cause, Cottman said. As an example, consider the impact of just one common practice known as "credential stuffing," a type of attack where criminals use stolen usernames and passwords to break into online bank accounts (see the table).
Daily Attacks | 232 million |
Annual Losses | $1.7 billion |
Daily Losses | $4.6 million |
Attacks' Success Rate | 10 percent |
Source: Shape Security |
"Cyberattacks come in a number of different forms, requiring a wide array of defenses," said David Lott, a payments risk expert in the Atlanta Fed's Retail Payments Risk Forum. As an example, he mentioned distributed denial of service (DDOS) attacks, which involve the use of a network of computers known as botnets to flood the target's computer system. In such an attack on a bank, legitimate customers would then be unable to access their accounts. In some cases, DDOS attacks have been used as a diversionary tactic for the criminal to initiate a fraudulent large-dollar transaction on an account compromised by a previous credential stuffing or phishing attack.
The Atlanta Fed's Marcel Cottman.
Photo by David Fine
In most data breach attacks, Lott added, the criminal extracts sensitive account information and credentials then sells them on illicit internet sites (often collectively called the dark web) for other criminals to use in unlawful transactions. However, sometimes the attacker just wants to infiltrate and modify account files.
Lott also mentioned ransomware, another type of data breach in which the attacker encrypts data files, and the targeted company receives a ransom demand to get the decryption code to restore the data. The City of Atlanta was a target of such an attack in 2018, and the virus affected a number of city agencies with major effects on revenue and customer service. Atlanta's government has spent an estimated $18 million in forensics and remediation efforts to prevent future attacks. Other municipalities, such as Baltimore, as well as health care providers and educational institutions have been victims of such attacks.
Not a matter of if, but when
In monitoring and advising financial institutions in the Southeast, Cottman says his team's conversations with banks focus on not if there will be a breach, but what will be their response when there is a breach. Though the financial industry has a strong track record of defending itself against data breaches, such fears rank high among bankers' concerns (see the table). "This is the reality," Cottman said. "We have to generally acknowledge that at some point, a bank will be breached. There are just too many variables that banks can't control."
Overregulation | 85 percent |
Uncertain economic growth | 84 percent |
Geopolitical uncertainty | 74 percent |
Cyberthreats | 73 percent |
Speed of technological change | 73 percent |
Source: PWC Annual CEO Survey |
This inevitability highlights the importance of a bank quickly detecting a breach. An institution must be able to disable any unauthorized access, gauge the damage, then repair it. He said examiners encourage banks to regularly test their protocols and policies that specify actions to take in the event of a cyberattack so that employees will know what to do when an incident occurs. "Having a strong culture for how to address issues and resolve them quickly will go a long way in protecting banks' reputation and people's money and identities," Cottman said.
What's more, because of today's rapid innovation, banks continuously confront new cyber challenges. Most banks in the Atlanta Fed's district—which includes Alabama, Florida, and Georgia and parts of Louisiana, Mississippi, and Tennessee—are smaller, community banks. These banks often do not have the same level of resources to hire cybersecurity expertise as their larger counterparts. Community banks "are more likely to have to outsource everything," Cottman said, and depend upon the third-party processors and security applications for protection.
One trend that has raised cyber concerns is banks' increased use of cloud computing. Although cloud-based services can offer efficiency and cost reductions, migrating bank information from onsite legacy computer systems to the cloud environment can pose challenges.
That concern made national headlines in 2019 when a hack into Capital One Financial Corporation's cloud services exposed sensitive data from more than 100 million customers. The Justice Department charged a former cloud-service employee with breaking into the bank's server, and prosecutors allege that the data was retrieved through a misconfigured network firewall.
As banks increase their reliance on cloud services, they will to have to adapt how they interact, assess, and define control with the service providers. Organizations such as the Cloud Security Alliance (CSA) are dedicated to raising awareness of best practices to help ensure a secure cloud computing environment. The CSA promotes certification and tools such as the Cloud Controls Matrix, a framework of cloud-specific security controls. Additionally, the Center for Internet Security offers a top 20 list of best practices and controls to employ in any internet-connected environment, including relationships with cloud service providers. That list includes, for example, guidelines calling for email and web browser protections, secure configuration of firewalls, and malware defenses.
Following the data trail
The Atlanta Fed team, in conjunction with other regulators of the Federal Financial Institutions Examination Council (FFIEC), also monitors third-party service providers, including those hired to operate the systems used in core banking operations, Cottman said.
Cottman said his team encourages banks that use third parties to exercise strong vendor management, in conformance with regulator-defined guidance. Banks should understand who will handle their data and where it will be stored and consider setting limits during contract negotiations.
Banks want to know "how far down the rabbit hole do you go in understanding how data is protected," Cottman said. "Our message to them is that they need to go where the data end. It's their responsibility to control, manage, maintain, and protect their data."
Additionally, Cottman said, examiners are stressing the need for banks to restrict employee access to personal email accounts on their work computers or, at a minimum, install programs that prevent workers from copying company files into their personal email accounts. There are other security controls banks can use to detect and prevent unauthorized transmission of company data to outsiders, as part of an effective data loss prevention strategy. Some banks require employees to pass mock phishing tests in an attempt to block would-be cyber attackers. Multifactor authentication, a security method that uses two or more provable credentials to validate a person's identity, is also playing an increasingly important role, Cottman said.
"Banks have to put a number of these measures in place because, as the axiom goes, the chain is only as strong as its weakest link," Cottman said. "The bad guys only have to find that one missing link to get in, so you need to have multiple control measures to find them and stop them."