Cybersecurity for Banks and Credit Unions

Last year alone, the U.S. saw nearly 2,000 data breaches with over 400 million individuals affected. Many of these breaches happened at household-name brands such as Shein, Twitter, Uber, and Nelnet, a major student loan servicer. In the past 15 years, breaches at financial institutions have accounted for over 200 incidents. In fact, cyber vulnerabilities are among the top risks to global stability according to the World Economic Forum’s 2022 Global Risks Report.

Good bank data security is now the cost of doing business and no institution—from large corporations to small businesses, local and federal government offices, and international and local financial institutions—is immune. That’s why we’ve devoted this guide to discussing common cybersecurity banking risks. We’ll take a look at recent financial data breaches, explore common risks banks face, and strategize how to prevent a cyber-attack and mitigate risks, from assessing your own institution’s vulnerabilities to creating a robust and effective response plan.

Examples of Data Breaches in the Financial Industry

Millions of individuals’ private data is stolen each year, either maliciously or through the mishandling of sensitive information. For financial institutions, who have access to especially sensitive identity and financial information, data breaches can cause great harm to the individuals affected. Perhaps one of the largest breaches in recent memory was the First American Financial Corp. in 2019, where over 855 million real estate and mortgage documents were erroneously made available to the public—information including driver’s license and social security numbers, as well as mortgage and tax records. More recently, 14 million records were stolen during a breach at Latitude Financial, an Australian financial services company.

Unfortunately, it’s not just the biggest banks that have cybersecurity targets on their backs. Community banks and credit unions should also be concerned with data breaches and prepared for when, not if, it happens. Smaller financial institutions may be seen by cybercriminals as easier to breach while still offering the same desirable information such as social security and bank account numbers, birth dates, and more.

What Are the Costs and Risks that Banks Face During a Data Breach?

Banks make popular targets for hackers because of the high level of personal data that financial institutions have access to. Infiltration of bank databases extend beyond just the financial institutions themselves; they also include various third-party systems—from credit reporting agencies to web apps—that institutions are connected with,

Cyber criminals can use a variety of nefarious methods to gain access to financial and personal data held by financial institutions. One of the most common techniques is phishing, when criminals trick employers into providing their login credentials through email and website spoofing. Phishing emails can also result in the downloading of attachments that contain malware, allowing hackers to infiltrate networks and even lock financial institutions out of their data. Lastly, DDoS and DoS attacks are also becoming increasingly popular, overwhelming online systems with a deluge of requests, causing crashes and downtime, and sometimes requiring the payment of a ransom to stop the attack.

The result of data breaches from ransomware ransoms to data recovery measures can be the loss of millions of dollars. The average cost of a data breach is $3.9 million, according to IBM Security’s “Cost of a Data Breach Report,” which also reports the cost per record lost at $150, noting that the U.S. is the most expensive country for data breaches.

So, how does a data breach add up to millions of dollars in recovery costs?

  • Direct Costs: Forensic experts, hotline support, free credit monitoring services for customers, internal investigations, potential settlements and associated legal costs.
  • Indirect Costs: Decreased customer trust leading to customer attrition, damage to reputation, reducing new customer numbers and instigating a drop in share prices, and ongoing legal consequences.

Performing a Banking Cybersecurity Risk Assessment

Before formulating a plan to minimize risk and address threats, it is crucial to perform a thorough risk assessment. Your risk assessment will act as a roadmap to developing effective prevention and mitigation strategies, and help you uncover potential vulnerabilities that may have otherwise been overlooked—these are places that experienced hackers will scout out and target if not adequately addressed. The basic requirements of a risk assessment can include the following areas of concentration.

Understanding Information Flow

Know what customer information is collected, who collects it, where that information is stored, how is it protected, and who has access to it. Scrutinize each of these components for points of weakness or ways in which security measures can be reinforced. Also consider the consequences of data breaches for all types of information collected.

Examining Internal and External Digital Systems for Vulnerabilities

From in-house email to third-party apps, know how the programs, networks, and apps that store and collect customer data are protect it.

Cataloging Your Threats

Security threats can come from ‘internal actors’ (aka, employees) as well as outside agents, from local identity thieves to international hackers. Vulnerabilities can also arise from other circumstances, including natural disasters (like floods and fires), system failures, and human error. Calculate the probability of each kind of threat, highlighting the most likely areas as your primary focuses.

Critiquing Current Security Measures and Response Protocols

Evaluate your existing preventative measures and incident response plans looking for weaknesses and places that would benefit from reinforcement. Run through your current response plan using a variety of threats to discover potential pitfalls and inefficiencies.

How to Prevent a Data Breach at Your Bank

As we discussed above, threats can come in a variety of forms, including internal inefficiencies and weaknesses. An important step in prevention is to take stock of your current security culture. Ask yourself if any of these common obstacles are holding your bank back from better security practices:

  • Slow budget cycles
  • Inefficient IT organization
  • Lack of focus on root causes
  • Internal politics
  • Too many “high priorities” so nothing is a priority
  • Poor threat intelligence when it comes to detection and metrics
  • Poor communication across your organization

Be sure to consult with your IT department in this process so they can weigh in on which issues they think are most pressing—good alignment between bank executives and IT is essential when creating strong banking cybersecurity protections. Ultimately, there are no magic bullets for managing bank cybersecurity threats. In today’s evolving digital landscape, where data breaches continue to grow in number and complexity, a paradigm shift is required to meet the challenges of a new decade. This is the shift towards data-driven decision making.

cybersecurity graphic

What is data-driven decision making?

Data-driven decision making doesn’t just mean empirically looking at metrics and statistics. It means recognizing that your business, employees, and customers don’t exist in a vacuum. Outside pressures affect outcomes and consequences, and your institution’s broader context must be taken into account.

Don’t be afraid to think about other possibilities that are not traditional to the world of IT security. Consider how political and global events might impact the threatscape you face:

  • Employees may be more disgruntled or react more severely to new company policies that come with negative consequences.
  • Hackers with anti-establishment motives might feel more emboldened and launch new waves of attacks against the financial industry.
  • Understanding the threatscape and staying in front of it is all part of good threat intelligence.

So, what powers data-driven decision making?

Call it good threat intelligence or business intelligence. Either way, if you want to approach cybersecurity in banking scientifically, you need good data you can trust. Investing in your threat detection and analysis capabilities is the starting point of building your cybersecurity apparatus. Here are the best methods for staying ahead of the curve and keeping yourself from becoming misaligned on your biggest threats:

  • Take inventory of your devices and properly dispose of unused or unneeded devices. The more devices you have to protect and manage, the more at risk your bank will be for a data breach. Cutting down on unnecessary software is also a great way to decrease your vulnerability to cyberattacks.
  • Restrict access to sensitive data to administrators and only the employees who need access.
  • Backup your data to make your institution less vulnerable to a ransomware attack.
  • Keep your software up to date.
  • Monitor your network for suspicious activity.
  • Maintain updated firewalls and security software.

Person looking at a laptop with a warning screen

Across industries, internal actors account for about 20-40% of all data breaches, according to Verizon’s 2022 Data Breach Investigation Report (DBIR). This is more often the result of error and poor training than malicious intent. That is why mandatory employee security training is another crucial aspect of preventing data breaches. Here are some common cybersecurity topics your staff should be well-versed in:

  • Leaving sensitive data out in the open
  • Locking down laptops in the office
  • Clicking on suspicious links or using unsecure sites
  • Connecting via unsecure Wi-Fi networks
  • Letting people into the office building without a badge or id
  • Providing sensitive information over the phone

Sign that says Free Wifi

Additional Tips for Enhancing Your Bank’s Cybersecurity

As mentioned above, vulnerabilities can come from a variety of sources and can have multiple solutions. Here are a few additional preventative measures to follow:

  • Systems: Create clearly outlined and documented data management processes, set up secure in-house wi-fi networks, only use data storage that utilizes encryption for sensitive data, and perform regular security checks. Regular audits can further streamline these systems, identifying gaps in the security infrastructure to create an unbreachable bank network security system.
  • Employees: Emphasize cybersecurity literacy (particularly revolving around phishing scams), create mobile device management and acceptable use policies, and require robust authentication and wi-fi security for remote workers (including VPN). By maintaining an ongoing cybersecurity education program, employees will be equipped to identify and avoid potential security threats, thus contributing to overall bank network security. Moreover, with enforced policies for mobile device management and VPN usage, remote work can be secure and reliable.
  • Customers: Provide customer protection including fraud notifications, educational outreach to raise awareness of phishing and other identity theft scams, and two-factor authentication requirements. In the digital age, extending cybersecurity measures to customers can act as an additional line of defense, with informed customers less likely to fall for scams. Mandatory two-factor authentication requirements can further ensure that even if a customer’s information is compromised, unauthorized access can be prevented, enhancing banking cybersecurity for all stakeholders.

Responding to a Cybersecurity Attack: The Aftermath

Prevention is only half the battle; your bank should also be prepared to handle the aftermath of a cyber-attack and data breach. Here’s what that looks like:

Create a detailed response plan.

Your plan should include specific strategies to:

  • Assess the threat
  • Contain the threat
  • Communicate with all stakeholders
  • Implement recovery and solutions

Tailor your breach response plan to your unique digital needs, including third party partners, customer base, geography, and risk tolerance.

Every financial institution will have a different constellation of factors that will help form their response plan. Flexible elements can include:

  • Security framework including firewalls, intrusion detection, and customer authentication tools
  • Notification systems to general employees, customers, and senior management and board members
  • Strategies to contain the threat and maintain basic functionality during potential downtime
  • Partner firms and advisors to help manage response and recovery
  • Specific state compliance requirements for protecting customer data

Test your plan regularly to ensure the following elements are functional:

  • Detection tools are effective: from employee cybersecurity literacy to overlapping security protocols, threats and vulnerabilities can quickly be identified.
  • Immediate communication plan is transparent and easy to follow: a specific plan is in place for escalating breaches to senior management and the board and individuals responsible for containment.
  • Functioning collaboration matrix is in place: designated employees and departments are able to quickly assume responsibility for mitigation, recovery, and investigations, working together as needed.
  • External partners are at the ready: Established firms are in place for external technical and legal advising, with in-house point persons in place.

As a financial institution, compliance culture will not only play a huge role in defining how your organization organically responds to potential breaches, but you can also leverage your compliance department as an effective partner to breach response. As the ABA Banking Journal writes in their article Bank Compliance and Security Breaches, “Compliance is often deeply familiar with the interrelation between reputation risk, operational risk and compliance risk through its role in day-to-day compliance issues facing the institution.” Compliance departments can help lead less-experienced incident-response teams in establishing and following systemic and legal protocols during a data breach and can act as an independent check when assessing risk, reviewing protective measures to minimize risk, and determining the correct course of action for individual scenarios.

Partner with PrintMail Solutions for Advanced Security

For more than 20 years, banks and credit unions have trusted us with their customer/member data. Today, PrintMail Solutions has the most comprehensive and stringent security in the financial statement outsourcing business for both print communications and eStatements. We are up-to-date on banking cybersecurity regulations and will meet or exceed all your requirements for critical vendors.

When you are ready to outsource all of your compliance printing and mailing needs (like welcome packages, compliance letters and notices, privacy and loan documentation mailings, tax forms, account statements, and credit card statements,) we are here to help. Contact us today to request a strategy consultation and learn how we can help improve the safety and security of your bank’s customer communications.

 

Subscribe to our Blog for more insider industry tips on technology topics from APIs to chatbots.