Last month, three regulatory agencies — the Federal Reserve, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency — unveiled the draft of an endeavor that would determine how the federal government would monitor the cybersecurity threat posed against large domestic and foreign banks operating in the U.S. with $50 billion or more in assets.
“Due to the increasing interconnectedness of the U.S. financial system, a cyber incident or IT failure at one entity may impact the safety and soundness of other financial entities and introduce potentially systemic consequences,” the draft plan stated.
While the focus on the larger banks is understandable, it nonetheless failed to consider the other end of the banking spectrum: the nation’s smaller financial institutions, including community banks — which comprise nearly 97 percent of all U.S. banks—as well as credit unions and independent financial services providers.
While most news reports on cybersecurity focus on various data breaches and online attacks at larger institutions, that does not mean that smaller financial institutions are operating under the radar of the cyber criminals.
“There are more headlines when large banks get hacked,” said David Dineen, executive vice president and head of community banking at New Canaan-based Bankwell.
“Smaller banks still have the same challenges as the larger banks do,” said Daniel Conroy, chief information security officer at Stamford-based Synchrony Financial. “But not with the same resources.”
Conroy added that the complexity of cybersecurity threats against financial institutions of all sizes has grown substantially in recent years and threatens to become even more enormous.
“We can use a sports analogy to describe this,” he said. “In 2007, cybersecurity was like the Super Bowl with one team against each other. Today, it is the equivalent of one team playing against everyone in the stadium. By 2020, it will be like one team playing everyone in the city.”
Dr. John Yoon, , director of the Center for Academic Excellence in Information Assurance and Cyber Defense at Mercy College in Dobbs Ferry.
Yet John Yoon, director of the Center for Academic Excellence in Information Assurance and Cyber Defense at Mercy College in Dobbs Ferry, warned that the corporate leadership of these smaller financial institutions are not ready for this type of game.
“I think it is because security is not prioritized by executives of small banks and credit unions,” he said. “A data breach or identity theft could happen at any time. But if you have larger manpower monitoring the patterns of attack and strong banking software, then 90 percent of intrusions can be deflected.”
But that could be easier said than done. Conroy noted that the desired manpower is not an easily obtained commodity in today’s job market. “Even if the small banks wanted to hire IT talent, there is negative unemployment in this space,” he said.
And prices for cybersecurity software solutions have spiked over the past few years.
“Up until a few years ago, we would provide firewalls for small to midsize businesses for less than $10,000,” said Dale Bruckhart, vice president of marketing at Digital BackOffice in Milford. “Now it is more than double that.”
Despite the obstacles, smaller financial institutions are not overlooking cybersecurity concerns.
“Despite having a smaller footprint than the larger organizations, smaller banks must implement adequate and effective controls to protect customers and the bank from any intrusions,” said Lynndel Bartulis, senior vice president and chief information officer at Newtown Savings Bank in Connecticut. “We take the subject of cybersecurity risk management very seriously and approach it from the technical, management and educational perspectives to ensure the bank, our customers and their accounts are safe from cybersecurity threats or vulnerabilities. Whenever we implement new or manage existing processes, cybersecurity risk is always one of our key concerns. We adhere to guidelines offered by our regulators, industry specialists and cybersecurity experts.”
For Bankwell’s Dineen, a secret weapon in fighting against cyber threats is maintaining a proactive relationship with customers and keeping them informed of the potential for danger.
“We constantly interact with customers,” he said. “If we see anything out there, we try to stay ahead of it. On a regular basis, we put out security tips and best practices.”
Bankwell also enforces a policy of behavioral analytics that monitors customer behavior to determine if a certain transaction could be a red flag. “Anything that looks like it is not ordinary creates an alert that is pushed out to customer,” Dineen said, adding that his bank is “constantly working” with regulators — including the Federal Reserve and FDIC and industry associations such as the National Automated Clearing House Association, an electronics payment trade group — to stay ahead of cyber concerns.
Synchrony Financial’s Conroy noted that smaller financial institutions would benefit from membership in the Financial Services Information Sharing and Analysis Center, a resource that provides updated information on cyber and physical threat intelligence from all parts of the world.
“It’s a global problem. It’s what I call crime as a service,” he said, adding that Synchrony Financial recently partnered with the University of Connecticut’s School of Engineering to create a center designed to promote cybersecurity research and develop information security talent.
On the subject of talent, many smaller financial institutions have to rely on third-party vendors for their cybersecurity needs. But that solution could also create new problems.
“There was a breach at Target about two years ago that was traced to the subcontracting vendor for the HVAC system in the stores,” said Digital BackOffice’s Bruckhart. “I would recommend having all third parties audited.”
Mercy College’s Yoon recommended a modularized approach for smaller financial institutions building a cybersecurity defense that mixes external and internal input. “All cryptography and encryption should ideally be developed inside the company by hiring employees,” he said. “Of course, one should also consider the possibility of insider hacking—and if that occurs, it could be a big problem.”