The executives of a small Nebraska bank scoffed at spending $500 to encrypt data coming into the bank’s website, a move that would have ensured a higher level of security. Why spend the money, the bank executives reasoned, when they could keep an eye on things? What could possibly go wrong?
A lot, says Denise Mainquist, founder and managing director of ITPAC Consulting, a Lincoln, Nebraska-based cybersecurity firm that has several community banks as clients.
Because it opted not to purchase a security certificate that encrypts data, including personal information, the bank fell victim to wire fraud and lost $60,000 in the process.
The small institution, with less than $500 million in assets, is not alone. Community banks (generally those with less than $1 billion in assets) are always looking to reduce expenses. But Mainquist and other cybersecurity experts who deal with small banks say that when it comes to budget cutting in this line item, the move comes at great peril.
“I’ve found quite a few instances where banks do not have security certificates on the login page to online banking, therefore putting their customers at risk of having their credentials stolen,” says Mainquist. “If the bank does not have someone who understands technology, they will argue that the $500 for the certificate is not justifiable—for all the wrong reasons.”
While Bank of America and other large institutions devote entire units and hundreds of millions of dollars to protect their information systems, community banks often approach the issue on an ad-hoc basis, Mainquist says.
“Most times,” she notes, “the IT officer has been appointed and when they don’t really know what they’re doing, they [often] get very defensive.”
The Nebraska bank was comparatively lucky. Other community banks have lost even more money—in one case more than 10 times as much because of the unsafe practices of its customers.
Cybercrime happens thanks to a chain reaction of things that go wrong along a network stretching from point of purchase to money supply. Banks have more responsibility than most other businesses, because they collectively store trillions in wealth.
In one such case, a bank had a client who refused to use email encryption, said Mainquist. No wire orders or account information were ever sent in emails. But someone was secretly reading the conversations.
Russian hackers, says Mainquist.
And though nothing in the emails themselves would compromise secure systems, the Russians watched the conversation long enough to build a profile of the bank and knew to target the wire operators.
The intruders made a quick 10-second connection into the network on a Thursday morning, likely installing a key logger remotely onto the network to steal the login credentials of the two wire operators. The next afternoon, it looked like the wire system was down for a few hours. But when the system “came back up,” assets had been drained down.
The astonished wire operators logged in and saw that $800,000 had been stolen from the bank. The funds had been siphoned off in $30,000 increments to banks in Canada already closed for the weekend.
The bank called the regulators immediately, recalls Mainquist. But the response was lukewarm: “’$2 billion is lost every other weekend,’” the regulators told the bank. “’Tell us something new.’”
For the bank, it was an expensive lesson.
“This bank was able to cover $400,000 themselves and cyber insurance covered the remainder, minus $50,000 deductible,” says Mainquist, who was quick to point out that the insurance only kicked in because the bank was not found to be negligent. There was another silver lining: “The hackers did not get into any customer accounts. They only stole the bank’s money so they did not need to do notifications to customers.”
‘There are alternatives’
Small financial institutions may not have the resources individually to protect themselves, but there are alternatives, said Kenzie Snowden, a spokeswoman for the federal National Credit Union Administration (NCUA). In fact, thanks to companies that provide such third-party security services, community banks and credit unions don’t face an outsized risk of cybercrime, Snowden says.
These companies “provide additional strong layers of protection such as fraud monitoring and transactional limits on top of what the financial institution allows,” Snowden points out. “As a result, small financial institutions don’t have a disproportionate amount of risk compared to larger financial institutions because the transaction risk is scaled to be commensurate.”
Small banks face another challenge, even when the cyber breach has nothing to do with their system.
When major cyber breaches occur—like those at an online sports book operation, a fast food restaurant chain and a major healthcare organization, just to name a few from this year alone—banks are the entities that make the customers’ account whole through a series of events. These include notification, card reissuance and replenishing any missing funds, says Aleis Stokes, a spokeswoman for the Independent Community Banking Association.
“Cybercrime against retails negatively impacts community banks,” Stokes contends. ”It takes staff time and bank resources to make customers’ account whole. This cost is disproportionately higher at community banks: Fewer cards being printed means they cost more to produce. Efforts to recover funds expended in the wake of a data breach usually result in pennies on the dollar.”
There is no real way to tell just how much small financial institutions have suffered in the aggregate, she adds.
“The cost of cybercrime is difficult to determine because the majority of the costs are associated with indirect costs rather than the actual breach,” Stokes says.” Overall, the costs may have a greater impact on smaller financial institutions because they may have fewer internal resources to deal with the aftereffects.”
So while some community banks try to cut corners and others do what they need to do, all remain susceptible to situations beyond their control—because they store the loot cybercriminals covet.
Regardless, there are safe practices every bank should take. The NCUA lists five ways community banks and credit unions can protect themselves.
- Establish an information security culture and training program. This should promote an effective information security program and the role all employees play in protecting the institution's information and systems. Maintain situational awareness.
- Create an effective IT risk management (ITRM) process. This works to identify threats, measure risk, define information security requirements and implement controls.
- Implement effective security operations. This involves effective asset inventory programs, ongoing patch management programs, vulnerability identification and managing system end of life.
- Test and evaluate through self-assessments and audits with appropriate coverage, depth, and independence.
- Detect and respond to security breaches. Make sure to put an incident response program in place.
Want more Banking Strategies? Sign up for our free newsletter!
Howard Altman covers the military and national security for the Tampa Bay Times. He has won more than 50 journalism awards and his work has appeared in the New York Times, Daily Beast, Philadelphia magazine, the Philadelphia Inquirer, New York Observer, Newsday and many other publications around the world.