Byting back

TBA challenges bank cyber risk with new programs, offerings and educational initiatives

Managing cyber risk in the digital age can seem daunting for bank leaders. And for good reason.

Not only are financial institutions at an increased risk of cyberattacks but certain attacks impacting their sector, like Distributed Denial of Service (DDoS) attacks, have grown in size and frequency, according to “The Impact of Cybersecurity Incidents on Financial Institutions” white paper created by the Identity Theft Resource Center and Generali Global Assistance.

Other startling facts the white paper revealed include:

Financial services firms are hit by security incidents a staggering 300 times more frequently than businesses in other industries.
Social engineering, which relies on the trusting behavior of the initial victim, in many cases employees, is being increasingly used in cyberattacks leading to data breaches.
The average total cost of a data breach in the U.S. reached a record-breaking $7.35 million, a 5% increase from the previous year, according to a 2017 report by the Ponemon Institute and IBM.
A malware attack costs a financial business around $825,000 on average to resolve; however, when a financial company faces a DDoS attack, which specifically targets their online banking services, the business costs skyrocket to an average of around $1.8 million.

While these facts are sobering, regulators and customers expect banks to take reasonable measures to protect their systems and consumer data. And Texas banks do, spending millions of dollars on technology, personnel and processes to demonstrate compliance with their state and/or federal regulations.

But compliance does not equal security. And, in addition to protecting customers and meeting compliance requirements, banks have a vested interest in protecting their employees and hard-earned reputations.

That’s why helping community banks become more cyber mature — not just compliant — is a top priority for the Texas Bankers Association. This is top-of-mind year-round, not just during Cybersecurity Month. TBA has developed a number of programs, educational opportunities and products to help Texas banks fight back against cyber criminals.

Cyber Benchmarking Study

TBA recently conducted the first-of-its-kind cyber benchmarking initiative to help Texas banks better understand their level of cyber resilience. The study, funded by TBA at no cost to its members, is the first comprehensive analysis of its kind in the nation. Approximately 20% of all Texas banks participated across six different asset classes. Participation allows them to compare their cyber maturity to peers of their asset size and charter type and it enables bank leaders and their IT teams to identify areas for enhancement.

Participating banks provided their most recent cyber audit data, which was anonymized under a non-disclosure agreement to protect its confidentiality from anyone outside the study as well as from other participants. It’s the data that was entered into the Cybernance platform, which automated the cybersecurity assessment tool (CAT) from the FFIEC.

The process of providing each participating bank with their results is now underway. The early results are promising and indicate the overall state of cyber resilience in Texas banks is strong. Most banks have established programs to ensure that they can meet at least the minimum requirements for cyber audits by federal and state agencies.

Information sharing

A key area evaluated in the benchmarking survey was information sharing (threat intelligence and collaboration).

In order to ensure our bank members are well-positioned to address this area, TBA is launching its TruStar threat intelligence and collaboration platform. TruStar will help Texas banks cut through intelligence “noise” to share relevant, timely and actionable information on a peer-to-peer basis. It will be run for Texas banks by Texas banks.

The TruStar pilot is underway. In the coming weeks, we will share additional news about joining this pioneering effort.

Banking Online Safely

Educating customers about being safe while conducting bank business online is critical to building layers of cybersecurity. That’s why TBA collaborated with the Texas Department of Banking to create double-sided handouts that provide “8 Tips for Banking Online Safely” and “8 Tips to be More Cybersecure.” The handouts, available in English and Spanish, were created for customers — especially senior citizens — to keep near their computers when conducting online transactions.

PDF versions of the handouts are available on the TBA website for banks to print themselves, or the handouts can be ordered on the website and TBA will print and ship them to requesting banks. The envelope-sized cards can be placed in bank lobbies, included with bank statements or posted on bank websites as a customer resource. Visit www.texasbankers.com/BankingSafely for more information.

To date, more than 83,000 handouts have been ordered by Texas community banks for their customers. Thanks to Commissioner Charles Cooper and the Texas Department of Banking for their collaboration with TBA on this successful initiative.

2019 Incident Response Playbook

“When, not if.” That is a phrase many cyber experts will echo when discussing the chances of any organization being the victim of a cyberattack or breach. The Texas Incident Response Playbook, which was recently updated, includes helpful guidance on what to do before, during and following incidents of all kinds to include a cyber incident.

The document was developed by TBA, the Financial Services Information Sharing and Analysis Center (FS-ISAC), the American Bankers Association and the ABA State Association Alliance. It is an excellent framework for bank leaders and their technology personnel to discuss bank preparedness and resilience.

Future of Banking Task Force

Although the Future of Banking Task Force has tackled a number of issues, including fintech and core provider relationships, succession issues and bank IT and marketing coordination, enhancements to cybersecurity maturity are always top of mind.

The Future of Banking Task Force, which was established to ensure that Texas community institutions have the information, tools and resources to remain competitive and to succeed, made some cybersecurity-related recommendations in their May 2019 “Summary of Initial Findings and Recommendations.”

Among the Task Force’s recommendations are:

Banks can task future-focused advisory teams to provide valuable insights and recommendations on cybersecurity, customer engagement, digital marketing, technology, etc.
Banks should consider filling board vacancies with at least one individual with expertise in information security and data protection to support more informed cybersecurity discussions at the board level.
Banks should consider leveraging executive team meetings as opportunities to conduct drills involving senior leaders to practice cyber incidence response and to establish clear lines of responsibility across bank operations, to identify coordination gaps and discuss plans and processes for customer and regulator cyber incident notification.

Education & training

TBA provides several opportunities for bank employees, in a variety of formats, including webinars and live programs.

TBA has partnered with SBS CyberSecurity to offer online cybersecurity certifications to Texas bankers. The certification program is designed around three learning paths: executive, manager and technical. The certifications prepare students and their financial institutions for cybersecurity threats and regulations as well as create confidence with examiners and auditors.

IT professionals, who need to stay on top of technology trends and scams, can participate in TBA’s Cyber Tech 2020 Conference, which will be held Feb. 12-14 in Austin and will feature a number of cybersecurity-related topics.

Finally, no program or technology can eliminate all cyber risk. But it can be reduced. TBA will continue to do its part to help Texas community banks fight back.

For more information on any of TBA’s cybersecurity initiatives, contact Alvin Mills, vice president of Information Technology and Security, at [email protected].