Banking

The world around us is in a constant state of change and moving at a pace that has never been seen before. Adaptation is vital to remain relevant in this type of environment. We all know of examples of companies and industries that failed to anticipate and adapt to changing technology and quickly became or are becoming obsolete—Blockbuster, Kodak and the taxi industry to name a few. Whether it was a lack of vision or a lack of belief that change could happen, we certainly do not want to find ourselves on this list.

For organizations of every kind, data breach incidents are "when"—not "if" events. Especially for business entities (like banks) that manage clients’ private information, building vigilance against threat actors, unintentional compromises, and other cyber vulnerabilities is as much a part of risk management as instituting compliance measures. But understanding how to spot weaknesses, build transparency, and engage checks and balances demands a new level of focus and capability for many banks.

On Friday, May 12, a ransomware attack called WannaCry hit computers in Europe, followed by Asia and more than 150 other countries including the U.S. By Monday, the cyberattack had hit more than 300,000 computers, first locking them and then demanding a $300 payment to restore their files. While the identity of the individual or group who deployed the software (WannaCrypt) is yet unknown, it didn’t take long for copycats to pop up. That’s partly because the WannaCrypt ‘exploits’ were taken from the National Security Agency, which had reported the theft in April. About the same time, Microsoft released a patch to protect against the vulnerability. The problem was, few people took advantage of it.

Forrester Research recently predicted that President-elect Donald Trump would face a major cyber crisis within the first 100 days of his presidency. While we can’t yet know if that will prove true, other recent events point to a high likelihood and broad implications for U.S. businesses. Consider this – in the past 12 months, we’ve seen major DDoS attacks, the DNC email leak and subsequent resignation of DNC chairwoman Debbie Wasserman Schultz, personal email hacks of major political and business figures, and an increasingly fragile geopolitical situation.[1] 

In today’s connected world, security breaches are inevitable. Especially for organizations that handle sensitive data like PII, it’s vital to be prepared. Looking at your business with a hacker mentality and putting a cybersecurity strategy in place are your best ways to ensure that when your day comes, you can bounce back without any major interruptions to your business or harm to your brand and reputation. 

Consumer banks and their customers have a new reason to be extra vigilant. Cyberthieves have begun using new malicious software (“malware”) programs to steal credentials from customers of large banks who enter their accounts via Apple iOS and Android based apps. Malware programs like Acecard and GM Bot are proving so pernicious because they can morph into customized overlays to imitate 50 financial-services apps. That feature is attracting the attention of cyber-thieves, mobile phone companies, cybersecurity, and bank regulators.

On July 1, 2016, the FDIC updated its Information Technology Risk Management Program (IT-RMP) with the Information Technology Risk Examination (InTREx) Program. Applicable to all FDIC-supervised institutions, regardless of size, InTREx is intended as a more efficient approach to its information technology and operations risk procedures. It enhances cybersecurity preparedness efforts and puts greater focus on identifying, assessing, and validating IT to ensure that management is able to effectively address institutional risk.

One of the largest financial cybercrime events in history happened in early 2016. Hackers successfully breached Bangladesh Bank’s systems and attempted to steal nearly $1 billion from its account at the Federal Reserve Bank of New York. By the time it was uncovered, the heist had netted hackers more than $80 million.

Verizon’s Data Breach Investigations Report (DBIR) is the most comprehensive and cited source of statistical data and trends related to cyber security incidents. Data breaches are traced, categorized, and analyzed to provide intelligence used by security organizations and businesses of many types and categories.

We recently shared some statistics that demonstrate the cost of cybercrime by industry. Particularly, that the annual combined loss from cybercrime in the US exceeded $525 million (USD) in 2015. While financial institutions have the highest risk of threat and the highest average annual costs caused by cybercrime, virtually every industry is at risk. 

As of 2015, companies in the United States reported annual combined losses exceeding $525 million (USD) due to cyber crime. The majority of these losses stem from malicious code and denial of service attacks. [1]

A few months ago, the HORNE Banking team put together one of our most widely read and shared posts of all time, entitled Hey, Community Banks. This is What Really Matters to Your Millennial Customers. In it, we cited research from the Pew Institute highlighting that the value and power of this group come somewhat from its size: “By 2020, it is estimated that one in three Americans will be labeled a Millennial – and by 2025, 75% of our workforce will be composed of Millennials.” We noted the importance of technology, social media and personalization for banks trying to engage a generation that has more members in the U.S. Labor Force and that is the most diverse, well educated and well informed in our history.

The HORNE Banking team has been active lately, going to select conferences around the Southeast to gather insights about the current and future state of the banking industry. Most recently, I attended the Mississippi Young Bankers (MYB) Study Conference and Convention. In its 66^th year, this event is a chance to learn and network with the future banking industry leaders.