During the pandemic, many community banks temporarily closed their branch offices and shifted their workforce to a fully remote or hybrid model to keep their staff and customers safe. This shift increased the adoption of new or underused online banking services such as mobile banking, remote deposit capture, and electronic bill payment. Many community banks partnered with technology service providers (TSPs) to meet their customers’ increased demand for online services.
While technology has allowed banks to maintain operations through the pandemic, the accelerated adoption of these services has increased the potential for cyber threats and incidents. When surveyed, most community bankers agreed—cyber risk is the largest operational risk facing the community banking industry today.
Persistent threats
As banks shift toward digital solutions and become more reliant on technologies and third parties, they are increasingly vulnerable to cyberattacks. According to Federal Reserve System information reported by supervised financial institutions, the top threats currently impacting the financial sector are ransomware, phishing, external-facing application vulnerabilities, system misconfigurations, and Distributed Denial of Service (DDoS) attacks, which often result in the disruption of services.
Email remains the largest channel for cyberattacks, with social engineering strategies such as phishing and business email compromise being the entry point for most attacks. In 2021, a survey of Financial Services Information Sharing and Analysis Center (FS-ISAC) members reported that 24 percent of cybersecurity incidents started with an employee being phished. Threat actors used compromised accounts to send more convincing social engineering messages to other employees and bank leaders to gain internal network access, steal credentials to banking platforms, and ultimately spread ransomware across critical bank systems.
Significant geopolitical events have also increased persistent threats. On April 20, 2022, U.S. and international cybersecurity authorities issued an advisory notice warning organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to more malicious cyber activity. While banks have not been primary targets, recent reports indicate an increase in instances of threat actors targeting TSPs to exploit TSP client network access privileges. Cybersecurity authorities acknowledge that the increase in cyberattacks against TSPs is likely to continue and have issued an advisory notice describing cybersecurity best practices related to securing sensitive data for TSPs and banks. Elevated nation-state cybersecurity risk reinforces the need for financial institutions and their TSPs to have appropriate methods for monitoring, sharing, and responding to threats and vulnerabilities.
Cybersecurity risk management techniques
Amid these increasing and persistent threats, banks must maintain appropriate risk management practices to identify, monitor, manage, and mitigate cybersecurity risks. The U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) created its Shields Up program to share cyber intelligence and mitigation techniques in response to recent geopolitical events.
Below is a summary of steps that community banks should take, according to CISA and the Federal Financial Institutions Examination Council (FFIEC):
- Review the information security program.
The FFIEC Information Security booklet states that a comprehensive information security program should identify, measure, mitigate, monitor, and report on cybersecurity-related risks. Banks need to ensure full compliance with core cybersecurity hygiene measures such as using multifactor authentication (MFA), backing up critical data, and applying security updates as they are released. Banks with remote employees must use a combination of a virtual private network, MFA, and strong passwords before allowing access to internal bank networks. Bank-owned devices, such as laptops and cell phones, should contain appropriate security software that will lock down or wipe the devices if they are lost, stolen, or compromised. - Provide routine cybersecurity awareness training for all employees.
Since employees serve as the first line of defense against cyber threat actors, banks need to conduct periodic phishing exercises and test whether employees, including senior management, will open attachments or click embedded links in fake emails. Remedial action, such as additional training or access restrictions for employees who fail multiple tests, is essential to reducing the risk of future phishing attacks. - Confirm that the organization’s entire network is protected by multiple security tools.
Banks need to establish defined processes and oversight to monitor security operations. Because phishing is one of the most common initial attack vectors, banks need to ensure that email filtering blocks spam, known malicious indicators, and suspicious Internet Protocol (IP) addresses. Banks should also scrutinize password-protected ZIP files and disable macro scripts for documents transmitted via email to prevent ransomware delivery. A properly configured endpoint detection and response (EDR) solution can proactively address real-time threats before they cause damage. Banks with more complex networks should consider implementing a lateral movement detection and a Security Information and Event Management (SIEM) solution that centralizes logging and event alerting. - Enforce a robust patch management program.
A robust patch management program should identify, prioritize, and deploy available software patches to ensure all network components, such as firewalls, computers, and mobile devices, are updated timely. Banks or their third parties must conduct frequent scanning and penetration testing to identify and remediate critical and high-severity findings in a timely manner. Banks should prioritize patching of Internet-facing servers where known exploits exist and automate updates where possible to expedite routine tasks throughout the patching process. - Protect, segregate, and routinely test backups.
Many ransomware variants attempt to find and delete any accessible backups, so it is essential that banks maintain multiple copies of critical data. Banks should ensure backup keys are encrypted, stored in multiple geographical locations, and periodically tested to ensure they work when needed. Banks using cloud-based backups should ensure access rights to these cloud-based copies are restricted to employees that need it. - Evaluate critical vendor contracts and security controls.
It’s important that banks monitor and review all connections between third-party vendors and the bank’s internal network for suspicious activity. Banks should enforce MFA with third parties when possible and confirm that critical service providers have appropriate cybersecurity controls in place to maintain essential services, protect critical customer data, and preserve customer confidence during extended outages. For cloud service providers, banks should ensure that any sensitive information exchanged is encrypted and recoverable within the time frames established by contract service-level agreements. - Review, update, and test the incident response plan.
Major cybersecurity incidents can be chaotic and time consuming, and they can require strong collaboration among bank staff, law enforcement, regulators, and service providers. These incidents can result in significant disruption and can be costly to an organization. CISA strongly recommends using the Joint CISA and Multi-State Information Sharing & Analysis Center (MS-ISAC) Ransomware Guide to respond to ransomware attacks. Bank leaders should designate an internal crisis response team to discern and document incidents as they occur and promote an efficient response with other internal and external stakeholders. Bank staff should also participate in annual tabletop exercises to ensure that they understand how to manage major cyber incidents.
Steps to perform in a major cyber incident
In the event of a cyberattack, the incident response plan should be immediately activated. In addition to the advice posted in the CISA and MS-ISAC Ransomware Guide, we recommend that bankers perform the following during a cyberattack:
- Contact critical vendors, including the TSP, Internet service provider, and core processor.
- Reach out to senior management and board members to ensure that they understand the incident and request resources to coordinate incident response and disaster recovery plans.
- Contact the bank’s cyber insurance provider, who can assist with the information gathering phase of the incident and can often suggest incident response companies they’ve worked with in the past.
- Ensure employees have a prepared and consistent message for communicating with customers.
- Notify the bank’s primary regulator and law enforcement, and ensure compliance with the new Computer Incident Reporting Rule that took effect April 1, 2022.
The Computer Incident Reporting Rule requires prompt reporting of significant computer-security incidents that have resulted in actual harm to the confidentiality, integrity, or availability of information to a banking organization. Banks must notify their primary federal regulator within 36 hours after the organization has determined that an incident has occurred. The Computer Incident Reporting Rule also requires bank service providers to promptly notify each affected bank customer. These requirements help promote early awareness of emerging threats to banking organizations and their service providers and allow regulatory agencies to notify other organizations of potential threats before they become systemic.
The good news
More cyberattacks can be prevented with proper training and detection and escalation tools. As cyberattacks continue to grow in number, scope, and sophistication, community banks should implement enhanced cyber risk management controls. We encourage banks to reach out to their Federal Reserve Bank central point of contact to ask questions or request additional information on cybersecurity risk management practices and the new Computer Incident Reporting Rule.