In more than 30 years of working for community banks as IT Director or as service provider, I have learned the technology risk with the greatest potential negative impact is the belief “that it could never happen to us.” The “it” may have changed over the years, but the danger has not.
The “IT” used to be the possibility of a disaster that called for the activation of a Bank’s business continuity plan. For years, many clients – particularly the smaller ones — were just not buying that something like that could affect them. Until 9/11. And Hurricane Katrina. And Hurricane Sandy. Those three previously unthinkable disasters woke the country up in a terrifying way – and caused many of the previous nay sayers within the community bank to re-think that belief and instead take business continuity planning and testing seriously.
Fast forward some years.
The “IT” in “It could never happen to us” has morphed; it is now the possibility of a systems breach or other security incident that threatens the information security, reputation and financial assets of an organization. “A breach is something a big company needs to be concerned about, but why in the world would we ever be the target.” Or so goes the thinking of many a $100 million or $200 million community bank.
The belief is often held, but not expressed, by individual members of senior management — a dangerous enough scenario. More worrisome is when that unspoken belief is shared by the Information Security Officer and/or the head of Information Technology. In such cases, the bank’s technology security and compliance posture may be informed by arrogance, ignorance, or the defense that “we’re just a small community bank…” Such a belief, in my view, is dangerous, ill-informed and ill-advised and our experience with hundreds of community banks in the recent past supports that view.
In the last 2 years, I have seen the previously immune community bank be upended by scores of incidents involving ransomware, distributed denials of service, fraudulent wire attempts, and corporate account take overs to name but a few examples of what we have seen. Clients who thought it could never happen to them have been surprised by the incidents they faced, and even more surprised by how difficult it was to get to the bottom of what happened, and decide the appropriate course of action. It is these clients who are actively re-visiting their security incident response plans, actively strengthening their IT Internal audit plans, and actively engaging with threat intelligence services and networks that improve the community bank’s cybersecurity posture for the future.
Such a shift in thinking is welcome – and one that the Banking regulators are trying to help promote. With their introduction of the FFIEC CAT tool (June 2015), as well as the FDIC’s introduction of the InTREx examination (June 2016), the examiners see Cybersecurity as a central technology risk for Banks of all sizes to properly address. A critical component emphasized is the focus on the Incident Response discipline which should be documented as though an incident were going to happen. The examiners are no longer taken by surprise by a sophisticated scam aimed at a smaller community bank; they see it as not only a possibility but a likelihood over time.
The right question to ask is not whether such an incident will occur, but rather when will it occur, and how effectively will the bank respond to the incident and protect the Bank’s reputation, brand and assets when it does?