Banks must prepare for the inevitable cyber-attack.
By Michael Scheibach
In the new era of digital banking and e-payments, banks must continually improve their safeguards and strategies against cyber-attacks, which are predicted to increase by 25 percent in 2017, with ransomware — malware that severely restricts access to computers or files until a ransom is paid — leading the way. Tech Micro, a cloud-based security company, also predicts that ransomware and other cyber-attacks will spread rapidly this year to point-of-sale terminals, IoT (Internet of Things) devices and even ATMs.
“The question is not if you’ll be hacked but when you’ll be hacked,” said Lyan Fernandez, executive vice president, chief operating and risk officer at TotalBank, headquartered in Miami and serving South Florida. “So you need to be assured that you can continue to conduct business when you are hacked.”
Achieving this objective requires not only an incident response plan that details exactly what needs to be done when attacked, but also assurance that the entire team, from the board on down, is ready and capable of responding to the situation. Unless senior officers and directors provide their endorsement and proactive support, fighting cybersecurity becomes an even more difficult task.
“The board of directors really needs to be informed about cybersecurity because it all starts with the tone at the top,” said Fernandez. “The board needs to make sure that the institution has a good governance framework. For example, if you don’t have a strong information security officer with good policies and procedures and documentation, you’re not going to be able to move forward on the cybersecurity issue.”
In addition, good governance entails having an effective risk assessment of the IT environment, especially the endpoints, which is the biggest risk for most institutions in terms of how malware injects itself. For example, if bank officers use laptops in the field, the laptops must be encrypted and use VPN to interface with the network. Otherwise, a bank opens itself up to cyber-attacks. Also important in terms of data governance is the use of patch management, or the ability to manage “patches” or upgrades for software applications and technologies.
“Patch management is one of the best defenses you have against malware injection into your network,” said Fernandez. “You need to make sure your bank is keeping up with patch management, which is an ongoing requirement. You also need to have penetration testing. You’d be surprised at the vulnerabilities that turn up in a penetration test. You need to have these often and not necessarily always by the same third-party vendor. You want to get different approaches.”
Fernandez believes outsourcing security to a managed service provider is a proven approach; however, the bank must choose a third-party vendor that has the utmost concern about cybersecurity. TotalBank, for example, uses a third-party vendor that offers password protection, as well as Touch ID (for iPhones and iPads) and biometric authentication in the form of eye retina recognition.
Even with a strong vendor, the bank must work in a quasi-partnership relationship in which it co-manages the security program and not simply abdicates the bank’s responsibilities. Although an outside vendor can monitor the bank’s perimeter and environment, nobody understands the bank’s environment better than its cybersecurity team.
Finally, Fernandez adds, a good governance is not complete without cyber insurance, which has become an essential element over the past few years. In fact, cyber insurance has expanded beyond protection against fraud loss to include the loss of customer information and the cost of regulatory compliance.
“Cyber insurance is absolutely necessary,” she said. “I don’t think you can be in banking today and not have some sort of cyber insurance.”
Michael Scheibach is executive editor of BankNews.