Helping Community Banks Fight FraudWhy Enhanced Information Sharing Must Be a Priority
At Information Security Media Group's Fraud Summit Chicago on May 14, several security executives said they see a growing need for sharing more cyber-intelligence with community banks and credit unions. That's because many smaller institutions don't appear to have a good handle on the real threats they face.
By joining groups such as the Financial Services Information Sharing and Analysis Center, banking institutions can gain access to threat updates to help them make the right decisions about their security strategies. But community institutions have limited budgets for membership fees, security technologies and staffing, executives from several smaller banks and credit unions told me at the conference.
As community institutions increasingly become attackers' favored targets, we have to pool our fraud-fighting resources in a more meaningful way.
Executives at community institutions know that the fraud landscape is changing, but they say it's tough for them to implement threat-mitigation recommendations from banking regulators or best practices from top-tier banks.
One community banker at the summit told me his IT/fraud/security department is made up of three individuals, including himself. Not only does his team have no additional budget for membership in the FS-ISAC, he questions who on his team could even keep up with the alerts and information that the group provides.
But the Federal Financial Institutions Examination Council and the Office of the Comptroller of the Currency have made it clear that cybersecurity oversight of community banks and credit unions is going to quickly ramp up this year (see FFIEC Cyber Assessments: What to Expect).
That's why industry groups and others need to step up to the plate to help these institutions enhance their security efforts.
Understanding Their Risks
There is real concern within the industry that community institutions are not up to speed about emerging cyberthreats and risks.
Cross-channel fraud, for instance, is a growing trend, says summit speaker David Pollino, who oversees fraud prevention efforts at Bank of the West. Many larger institutions are using technologies such as big data analytics to help get a clearer picture of their actual fraud losses. So they can see that cross-channel fraud is a big problem, he says.
Yet, according to preliminary results from our 2014 Faces of Fraud survey, many mid-sized to smaller community banks and credit unions apparently don't see cross-channel fraud as a big concern. Nearly half of our survey's respondents say they see no significant increase in cross-channel fraud patterns.
Pollino and Doug Johnson, who oversees risk management policy for the American Bankers Association, say those results reflect the limited awareness of emerging fraud trends among most smaller banking institutions.
Obligation to Assist
Helping smaller institutions improve their ability to fight off cyberthreats needs to be a higher priority. Larger banking institutions as well as major industry groups have an obligation to spearhead the effort.
During the distributed-denial-of-service attacks that plagued the financial-services sector in 2012 and 2013, FS-ISAC shared timely information with non-members, helping to set a new bar for cybersecurity intelligence. All banks and credit unions were made aware of the trends the FS-ISAC's member institutions were identifying.
At the height of the DDoS attacks, the financial industry pulled together to make cybersecurity and the protection of the financial infrastructure a priority. I hope the spirit of that effort can be revived in the months ahead through a similar type of cyberthreat information sharing effort.
As panelists said during the opening session at the summit, banking institutions have to work together because the financial system is only as secure as its weakest link. As community institutions, and retailers for that matter, increasingly become attackers' favored targets, we have to pool our fraud-fighting resources in a more meaningful way.