Why vendor security matters to your bank

Today’s fraudsters may choose to attack a community bank’s digital platforms or physical branches and ATMs. But what happens when a cybersecurity vendor isn’t well versed in physical security, or vice versa?

By Karen Epper Hoffman

Physical security and cybersecurity often intersect, which means criminals may not only try to crack a bank’s defenses to defraud its customers, but also those of the vendors and other partners the bank may use to mitigate or limit these incursions.

This is why community banks must consider how they interact with the physical security vendors that secure their branches and ATMs and the cybersecurity vendors that secure their web and mobile channels. As many community banks grow increasingly reliant on an intricate web of vendors, especially those involved with security, this can be a challenge—not only because of the ever-changing landscape of threats, but also because many vendors that work in cybersecurity do not always understand physical security, and vice versa. Some experts question if these areas are merging.

“The landscape continues to evolve for both the physical and cybersecurity in the community banking environment,” says Patrick L. Criss, the information technology and security management head for $125 million-asset Surety Bank in DeLand, Fla. “As community banks continue to move to cloud and core-hosted environments, it is difficult, if not impossible, to separate physical and cybersecurity.”

Quick stat


Number of data breaches in the U.S. in 2018

Source: Statista

Criss points out that in the traditional model, a bank could choose the best vendor for each of these areas. However, nowadays, community banks are required to evaluate both aspects of the hosted environment and still maintain internal physical and cybersecurity programs.

“This is also gaining regulatory attention with the expectation of the same criteria, applied internally, be applied to all vendors with which that the bank interacts,” he says. “While the market continues to expand with vendors providing services, there does not seem to be a large number of vendors offering combined physical and cyber [security] services.”

Will LaSala, director of security solutions at OneSpan in Chicago, points out that “the security marketplace is always expanding and changing.” While he says physical security vendors are different than cybersecurity vendors, he believes that “these two worlds are poised to come together in the advent of the IoT [internet of things] becoming more widely adopted.

“Cameras, card access systems and detection sensors all add valuable data for banks to understand the context of transactions in cyberspace,” he says.

Virtual scams

Another factor, according to LaSala, is that most banks are moving toward the “virtual branch” by leveraging more mobile and internet technologies. “This has the added value of not only reducing overhead but being able to leverage other security technologies users have in place,” he says.

For example, if a retail banking customer had their ATM card stolen and the community bank could determine that the actual user was in their house with their smartphone and not down the street using an ATM, banks could immediately react, stop the attacks and offer additional security to their users, he adds.

Jeff Newgard, president and CEO of $340 million-asset Bank of Idaho in Idaho Falls, Idaho, says he has not seen a lot of activity locally to indicate that the industry is looking to consolidate physical and cybersecurity anytime soon.

“In fact, if anything, the two have become mutually exclusive in our market,” he says. “Those who offer physical security alternatives are able to install alarm systems and other basic security measures, but they don’t offer cyber solutions. Likewise, those vendors and solution providers who are cybersecurity specialists often refer you to another business altogether for your business’ physical security needs.”

While the two areas remain independent, Newgard points out that competition within each respective sphere seems to have intensified.

“As the need for both physical and digital security measures intensifies, there seem to be a great many new players entering the market and trying to get their piece of the pie,” he says. “This is true in both areas, but we see little if any overlap between the two segments.”

Criminals looking for financial gain will often exploit multiple channels—online and in the real world—to meet their goals. Criss says that from a physical standpoint, there is an increased focus on card skimming.

“We continue to see examples of this on ATMs and POS [point-of-sale] systems,” he says. “There also is an increase in the number of internal employees capturing card data both manually and with swipe devices. Given the small number of cards that are effective with smaller losses in proportion to mass-card breaches, it is likely this will continue to grow.”

Criss foresees phishing attacks expanding. “The attacks are becoming more complex across the channels in which they are delivered and convincing in their appearance,” he adds.

Newgard says while he has not seen an increase in physical breaches at his bank lately, he has seen an uptick in “old-school physical methodologies for breaching private data” in the bank’s local markets. Examples include skimmers placed on gas pumps to steal card information and phone scams with aggressive callers posing as IRS agents to persuade people to surrender their personal information. On the community bank’s web platforms, Newgard says, “We see regular intrusion efforts on our networks through social engineering efforts, sometimes several a week. Things like emails with links that, when clicked, might try to install a keystroke tracker on an employee’s computer are ever-present.”

“The number of exploits and social engineering attacks is always increasing,” LaSala says. “As security vendors roll out new solutions, attackers find new holes in other locations. It is always a game of cat and mouse.

“As cybersecurity gets coupled with physical security and the IoT, it will become harder for attackers to exploit a number of holes.”

Review your bank’s vendors

Like many other community bankers, Newgard is not looking for a security cure-all, but rather vendors who can meet the challenges of each channel and can respond quickly when the bank needs them. “In a crisis, you need to know that you have experts at your side and ready to help you when called upon,” he says.

For example, an alarm company should not only install and test your bank’s physical security resources regularly, but proactively manage those installed systems to ensure the best result when they’re put to the test. Evaluate the vendor on the timeliness of its response and how adequately it addressed the issue, Newgard says.

“Security is too big an issue to shrug off mistakes. One mistake, improperly handled, could cost you your reputation and, ultimately, your bank.”
—Jeff Newgard, Bank of Idaho

“If there are shortcomings or failures, evaluate whether it may be time to find another resource to help you with that service,” he adds. “Security is too big an issue to shrug off mistakes. One mistake, improperly handled, could cost you your reputation and, ultimately, your bank.”

Common weaknesses in vendor risk management programs

Federal Reserve examiners say these vendor risk management weaknesses are common:

  • Insufficient oversight by bank directors
  • Failure to maintain a formal, documented outsourcing policy
  • Vague contract terms, particularly with regard to vendor performance requirements
  • Contract terms that favor the vendor
  • Inadequate disaster recovery tests, especially those related to potential cybersecurity events
  • Inadequate review of vendors’ information security and cybersecurity procedures
  • Inappropriate risk ratings of critical vendors
  • Reliance on one vendor for several critical products or services

Karen Epper Hoffman is a writer in Washington state.