Cybersecurity Risks in the Banking Industry: Takeaways from the 2023 Bank Expo
Recently, I had the pleasure of speaking to the members of the Maine Bankers Association at the 2023 Bank Expo in South Portland about cybersecurity risks in the banking industry. Maine’s only Bank Expo created a perfect opportunity for establishing and growing industry relationships, gaining vendor insights and connections and, most importantly, learning about a wide array of topics impacting your work as a professional in the banking industry. The event offered customized tracks, targeting content to roles from branch managers, security officers, human resources, and compliance and regulation teams. As part of the SECURE track, which offered training relevant to cybersecurity and fraud staff, the program provided critical information to the teams on the frontlines of keeping banks and financial institutions safe, as well as opportunities to share insights on what they are regularly seeing in the field.
My session focused on an overview of the 2022 Verizon Data Breach Investigations Report (DBIR), recent cybersecurity incidents, updates in cybersecurity regulations, and strategies companies can employ to increase their security posture.
Here are some key takeaways from the presentation and audience Q&A:
Ransomware is not slowing down
According to the 2022 Verizon Data Breach Investigations Report, ransomware attacks rose by 13% in 2022 – more than in the last five years combined – and accounted for 25% of all cyber attacks. Your bank should have an enterprise ransomware policy in its incident management program that defines the actions to be taken in the event of a ransomware attack. Alternatively, if your company has hired or partnered with a third-party vendor to manage your incident response plan, ensure they have created a well-defined playbook and have shared it with your team in advance. This plan or playbook can take many forms and should ultimately be designed to align with your institution’s workflows, processes, and team.
Cyber insurance companies are more cautious than in prior years
The cyber insurance landscape has changed in recent months. Getting the right amount of coverage is difficult, and should be based on organizational assets, exposure, and risks. Insurance companies increasingly ask more detailed questions during the application process. With an ever-evolving threat landscape and scarce security budgets, very often, institutions do not have favorable answers, which could lead to higher premiums or rejected applications. It is important to note that failing to answer truthfully puts your organization at risk. Insurance companies validate the answers at the time of claim and will deny claims if discrepancies are found! Insurance carriers will not insure institutions without an information security program in place, or without basic security controls such as multi-factor authentication (MFA), vulnerability management, or third-party management in place.
Third-party risk management is more important than ever
Third-party risk management allows you to understand how data flows, and who has access.  It is important to evaluate vendors, and onboard them only once you have confirmed that they adhere to your organization’s security standards and comply with relevant regulations and industry requirements around vendor risk management. According to the 2022 Verizon Data Breach Investigations Report, supply chain is still top of mind and a serious threat, as it was responsible for 62% of system intrusion incidents last year.
Security hygiene sets solid foundations for safe business
Utilizing strong passwords, focusing on length over complexity, employing MFA, and using a password manager can provide a solid foundation for access management.
Updating software timely can minimize risk stemming from known vulnerabilities, often exploited by the attackers.
Data backup is important and can save your company time and effort while recovering from natural disasters or security incidents. Having tested backups will ensure necessary data can be restored for the organization to conduct business after the incident. It is important to have at least one copy, which is immutable and safe from compromise, in case of a ransomware attack. Your third-party cybersecurity vendor can advise you on how to set up these controls and backups up correctly.
Solid asset inventory, especially internet facing, can’t protect what you don’t know exists
Asset inventory is one of the first controls in many cybersecurity frameworks, and there’s a good reason for it. You can’t protect what you don’t know exists! Solid asset inventory also makes vulnerability management, software updates, and antivirus software more efficient.
User education is the key to success – be creative
Cybersecurity awareness training is one of the basic activities all organizations should perform to protect company digital assets. Bad actors are creative and social engineers constantly produce new and improved ways to trick business users into giving them access to internal systems. Traditional, one-size-fits-all training may not be enough; find out the learning style of your user population and customize training. Training combined with simulated phishing tests leads to continuous improvement.
Updated regulations, standards, and frameworks have common trends: comply with one, satisfy many!
Recently, many of the current security regulations, standards and frameworks evolved and changed, and they all touch on many of the same topics and include common controls. Some examples are:
- Risk assessments
- Vendor risk assessments
- Multi-factor authentication
- Penetration testing
- Incident response
- Data retention
While choosing an industry-specific framework is always best, there is substantial crossover between frameworks, so compliance with one standard will typically allow your organization to comply with multiple standards.
Penetration testing, vulnerability, and risk assessments all provide good feedback
Risk assessments, penetration tests, and vulnerability assessments provide instant feedback and pinpoint key risks and vulnerabilities before exploitation can happen. Risk assessments can be as in-depth as needed, depending on organizational resources. Institutions can conduct risk assessments, penetration tests, and vulnerability assessments using internal staff and/or a trusted partner to leverage their knowledge and experience.
It was my great pleasure to present to a crowd of IT and security professionals dedicated to improving security for local Maine banks. There were several good questions and many of the banking professionals in attendance were eager to learn more. One of the concerns I heard during discussions after the presentation was how to ensure the immutability of backups. An immutable copy could be stored in a variety of on- or off-site ways, and the best location for your institution depends on your internal environment, your budget, and the size and complexity of your environment.
At the end of the day, having a thorough cybersecurity response plan and third-party risk management strategy in place at your institution is more important than ever. The tips above are the first steps toward making your institution more secure.
BNN’s Information Systems & Risk Assurance practice offers a suite of cybersecurity and risk assessment services and can assist organizations of all sizes and across industries establish and maintain security and compliance in their IT environments. Get in touch with a member of our team to discuss what service or customized package could help you achieve your goals.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.