Four ways to safeguard your data

What if another Equifax happens? Spoiler: It will. Data breaches are the new normal, so community banks should take these practical first steps to defend their data and that of their customers.

By Susan Thomas Springer

The Equifax data breach, which exposed the financial information of nearly 146 million Americans, was one of the largest in US history. Hackers stole personal information on a massive scale, including social security numbers, birth dates, home addresses and more. The scandal resulted in the resignation of the CEO and other top execs, a PR crisis and weary consumers wondering who to trust and how to guard against identity theft.

Sadly, it wasn’t the first data breach, and it won’t be the last. To shore up their defenses, community banks should take a multipronged approach to strengthen both their own security and their customers’, along with providing some much-needed peace of mind.

1. Step up authentication

In the wake of a large data breach such as the Equifax attack, community banks can mitigate risk by going beyond their usual authentication methods.
“In a traditional environment, authenticating a customer by social security number, date of birth, address or telephone PIN would likely be deemed sufficient,” says Jeremy Dalpiaz, ICBA’s assistant vice president for cyber and data security policy.

However, when information has been exposed, community banks might want to ask for information that may not have been stolen that only the bank and customer know. That includes the date and amount of the last transaction, the sender of any direct deposits, the approximate account balance, the branch where the account was opened, the beneficiary on the account, or the email and phone number associated with the account. Also, it might be a good idea for banks to use more than one type of authentication and to vary the types of questions asked.

2. Beware of increased fraud

After a large breach, criminals flood the dark market with customers’ private data. In the early days of a breach, it isn’t always known if the stolen data are matched with individuals’ names or if social security numbers and dates of birth are separate.
“When this type of information is released, we often see an influx of phishing and spoofing attacks, generally by email, aimed at bank employees and individuals,” says Dalpiaz. 

Criminals may also call banks and walk into branches attempting to impersonate accountholders. For example, one might approach a teller with an urgent story about a false emergency she is having on vacation and request a wire transfer. For this reason, it’s not just customers who need to monitor their accounts for fraud; bank employees should also be trained to recognize suspicious activity and take the appropriate actions.

3. Vet your vendors

Community banks that rely on third-party vendors to handle back-office operations may want to consider asking many security questions during the due-diligence process. Dalpiaz says banks may want to know how vendors secure their data, their process for alerting the bank of a security incident, and if subcontractors have access to the bank’s data. Banks may also want to ask vendors if they can share recent audit results.

Banks may want to know how vendors secure their data, their process for alerting the bank of a security incident, and if subcontractors have access to the bank’s data.

4. Educate customers

Through a community bank’s website, social media accounts or interviews with local print and television media, banks can arm customers with helpful tools for protecting their identities before and after a breach. For example, ICBA has a customer notification letter template at that member banks can customize with links advising customers how to put a credit freeze in place, obtain their credit report or report identity theft.

Banks can also offer solid advice to customers based on consumer data protection tips from ICBA or the National Cyber Security Alliance (
Education must be an ongoing activity among bank employees and customers. “It’s incumbent on management to create a culture of security that goes across all business lines and all levels of staff,” Dalpiaz says.

Susan Thomas Springer
is a writer in Oregon.

Tools for outsmarting new threats

To stay up to date on the ever-changing tactics of cybercriminals, your bank can become a member of the Financial Services Information Sharing and Analysis Center (FS-ISAC). The organization gathers intelligence from banks across the country, removes identifying details and then sends it to FS-ISAC membership. The goal is real-time intelligence sharing so banks are aware of current threats. Reports detail the tactics, techniques and procedures, called TTPs, of criminal actors, along with mitigation tools and techniques available to fix technical vulnerabilities. FS-ISAC also offers the Community Institution Council, called a circle of trust, in which community banks and credit unions ask security questions and share useful information with each other. Learn more at

ICBA’s Data Breach Information Center also offers members current cyberthreat information. See the latest at