Community banks are particularly vulnerable to merchant data breaches, even if they are not involved directly, Comptroller of the Currency Thomas Curry believes. Smaller institutions face costs of customer compensation, risks to reputation, and vulnerability to lapses in third-party precautions.
To that end, Curry, speaking to community bankers recently, said that he expects banks of all sizes to seriously consider participating in the Financial Services Information Sharing and Analysis Center, as well as making cybersecurity planning a top issue for banking leadership.
“Financial institutions are often on the hook to compensate customers for fraudulent charges, and replace credit and debit cards and monitor account activity for fraud at significant costs,” said Curry. “That’s not easy for any bank, but it’s a burden that falls especially heavily upon community institutions. At a cost of $5 or more per card and covering the related fraud charges, the costs can run up very quickly.” [Read Curry’s speech text.]
As chairman of the Federal Financial Institutions Examination Council, Curry created a Cybersecurity and Critical Infrastructure Working Group that conducted a pilot cybersecurity examination work program this summer at 500 community banks. Observations from that pilot recently were released, along with lists of questions bank leaders should consider asking their staffs regarding risks related to cybersecurity.
Discussing the document, Curry said that it encourages management to incorporate cyber-incident scenarios into business continuity and disaster recovery planning.
“The report stresses that management should consider how it will respond to a cyber-attack, not just internally, but with customers, third parties, regulators, and law enforcement,” said Curry.
Curry noted that management should be asking questions about the types of data connections their company has with other institutions and third parties, and whether all of those connections are properly managed.
FFIEC also recently issued a statement recommending that financial institutions of all sizes participate in FS-ISAC.
“With threats evolving so rapidly, we expect management at every institution we supervise to monitor and maintain sufficient awareness of cybersecurity threats and vulnerabilities. The FS-ISAC is an important resource for institutions to identify, respond to, and mitigate cyber-threats and incidents,” Curry said.
Speaking more generally, Curry warned bankers about the cyberrisks related to complexity and interdependency, and especially the risks community banks face when using third-party contractors.
“Complexity and interdependency create opportunities for hackers to gain access to the systems of financial institutions and the third-party vendors that provide services to the industry. Not only do financial institutions need to have good controls over their own systems, they need to monitor carefully the ways in which they connect to vendors, how these contractors manage their systems, and how these vendors connect to still other third parties.
“Financial institutions also need to be aware of the various ways in which even their own employees may inadvertently create opportunities to compromise systems, by introducing personal (and possibly corrupted) devices into bank networks. In a highly interconnected environment, it can be very difficult to identify and address all of the potential vulnerabilities a bank might face,” Curry says.
Curry acknowledged that his expectation were high.
“But the stakes are high as well,” he said. “The industry’s reputation is at stake, as is the trust that consumers place in their financial institutions. Financial institutions of all types and sizes have a lot of work ahead of them.”