IT Security: The New Security Turn


Once mostly aimed at the biggest banks, cyber-attacks could increasingly target community banks, federal regulators warn

By Karen Epper Hoffman

It’s no secret that many of the nation’s largest banks were under a virtual cybersiege last year, as hackers mounted a bevy of distributed denial of service (DDoS) attacks on those institutions.

But what about the hundreds of community banks that are nothing like the higher-profile JPMorgan Chase & Co., Wells Fargo & Co. or Bank of America Corp.? Are they being overlooked by these cyberattackers because they lack the scale and brand name of their bigger counterparts?

Answer: Not any more.

While cyberattackers have initially aimed their malware and online attacks on the biggest whales of banking—the nation’s largest financial institutions—it seems these
cybercriminals are moving down the line, targeting community banks as well as their bigger brethren, in search of an easy score. Indeed, the issue of community banks facing a greater cyberthreat has grown great enough to capture the attention of federal financial regulators, who have vowed to devote time and resources to helping the nation’s community banks fend off these attacks.

“We have much work to do as regulators to make sure the banks and thrifts we supervise are doing everything necessary to protect themselves,” said Comptroller of the Currency Thomas Curry in a prepared release. “This is not a problem that can be addressed by one agency alone or by any one institution acting on its own.”

In mid-September, the Office of Comptroller of the Currency released an announcement reiterating its commitment to supporting the community banks it oversees in mitigating their risk from online attack. Since community banks tend to depend more on third-party vendors for their IT services, the OCC set up a new senior-level position to work with the community banks and their service providers. The agency said that it would even request more authority from Congress, if necessary, to help community banks protect themselves from cyberattacks.

The OCC announcement came on the heels of a number of other developments that point to regulatory concern about the malware menace that faces banks big and small. The FDIC pointed to the DDoS attacks suffered by JPMorgan, Wells Fargo and other large banks in last spring’s edition of its Consumer News bulletin. In the article, the FDIC applauded industry efforts to manage and contain the onslaught of online attacks, which were aimed at undermining and overloading the bank’s systems.

“This is not a problem that can be addressed by one agency alone or by any one institution acting on its own.”
—Thomas Curry,
U.S. Comptroller of the Currency

In June, the Federal Financial Institutions Examination Council created the Cybersecurity and Critical Infrastructure Working Group, aimed at improving “communication among the FFIEC-member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups.” And, previous to its release, the OCC hosted a webinar over the summer to help build awareness among community banks about cyberattacks and what their IT departments and senior managers could do to mitigate the risk.

While regulators have expressed concern about banks of all sizes, experts say that community banks may be especially under the gun since they do not necessarily have the same level of in-house staff and expertise, or the deep pockets, as their larger counterparts to mitigate the latest Internet-based dangers. Add to that the other technology and compliance demands vying for a community bank’s time and resources, and community banks have their cybersecurity work cut out for them.

“This is particularly true for institutions that don’t outsource their processing to large core providers that can also provide these levels of protection to their client base, spreading the expense across hundreds of small institutions,” says Shirley Inscoe, senior analyst for the Aite Group, the Boston technology consulting firm.

According to Joe Rogalski, security consultant and a former fraud and compliance officer for First Niagara Bank in Buffalo, N.Y., community banks might represent “lower hanging fruit” as cybertargets because they may have more manual processes than the large institutions. While the DDoS attacks on the big banks garnered a lot of press attention, he says that ACH and wire fraud attacks, as well as malware aimed at bank employees and customers, can be just as damaging for banks of all sizes.

Al Pascual, senior analyst with Javelin Strategy & Research in Pleasanton, Calif., says, “Not everyone can deploy the latest and greatest security technology available.” He points out that in other industries, particularly those doing business online, smaller players are starting to feel the bite of cyberthieves and hackers more and more.

Pascual says that more effective authentication and security technologies, like behavioral and transactional analysis, are more difficult to compromise and therefore more effective—but also more expensive to implement.

This may be just the tip of the iceberg, industry observers say, as online criminals become more sophisticated and collaborate, and as larger banks become more effective in their efforts to protect their financial fortress. Business customers may face an even greater threat. “In other forms of fraud, they are attacking mid-size businesses, and where those companies [conduct their banking] is irrelevant to them,” says Inscoe. “Businesses tend to have larger balances than consumers, so this is an attractive area for organized fraud to target.”

Karen Epper Hoffman is a financial writer current working in Europe.