Sunday, April 05, 2020

The Credit -- Er, IT Crisis?

Posted by OnCourse Staff January 17, 2014 11:49am

Photo Credit: Fred Goldstein

The credit crisis and subsequent recession got me thinking about the potential for a similar "IT crisis" in community banking. Let's head over to our favorite web encyclopedia, Wikipedia, for a quick summary of the causes of the credit crisis:

  • Boom and bust in the housing market
  • Homeowner Speculation
  • High-risk mortgage loans and lending/borrowing practices
  • Securitization practices
  • Inaccurate credit ratings
  • Government policies
  • Policies of central banks
  • Financial institution debt levels and incentives
  • Credit default swaps
  • US Balance of Payments
  • Boom and collapse of the shadow banking system

Now, I don't intend to argue the relative merits of each of these points.  Rather, the point I'm making is that disasters don't normally happen because of a single isolated event.

When things go wrong, it's usually a result of multiple forces coming together in away that wasn't anticipated - or was ignored. The credit crisis didn't happen because banks wrote a couple of bad loans. Multiple factors are to blame. To really understand and anticipate our risks, we have to consider all of the forces at play.

What does that mean for IT?  Are there forces that could contribute to an IT crisis in community banking?

Rather than regurgitate stats from the various security incident reporting services, I decided to take a different approach.  I picked up the phone and spoke to a number of our clients.  I shared my thought process and we talked about the forces influencing IT in community banking. Here are the results.

Force#1: The sophistication and number of attacks is increasing

The general consensus is that there will continue to be an increase in the number and sophistication of attacks.  I don't think this is a surprise. 

Think about the Zeus Trojan that was designed specifically to attack banks.  The "Man-in-the-Browser" attack, it's called.  It takes advantage of vulnerabilities on your customer's computers. It waits for the customer to connect to a bank site and then silently makes transactions in the background. Bypassing security controls like usernames, passwords, and multi-factor authentication. 

Earlier this year security researchers tracked down a Zeus botnet that raided more than $1 million from 3,000-compromised UK online banking accounts. It was going on for nearly a month before the Bank knew it was happening. The money flowed out of the Bank to accounts in Eastern Europe where money mules emptied them.

This is very organized and very sophisticated stuff. See my post here for a more detailed discussion.

Force#2: There will be an increase in the use of new technologies and services

How about cloud computing?  That's where you store your data and access applications out on the Internet.  Google is proving that the cloud is here tostay.  Mobile devices and tablet computers are essentially windows to the cloud, and the apps that run on those devices are increasingly using the cloud as the primary data store.  What does it mean for Banking?  Personally, I believe it's just a matter of time.

Let's be a little less theoretical and think about the realities of today. I'm a consumer-banking customer.  I went into my Bank branch exactly one time - on the day I opened my account - and I probably didn't even need to do that.

  • I bank online
  • I pay my bills online
  • I check my balances on my iPhone
  • My bank sends me text messages

Did you see that Chase commercial where the newlyweds are lying on their bed on the night of their wedding, about to do the first thing that all newlyweds do... Count the money. They take a picture of one of the checks with a cell phone and its deposited into their account.  Pretty neat.

Now, you can make the argument that community banking is different because it's a relationship business.  Relationships will always have value - but these people are also going to expect a certain level of technical sophistication.  The general consensus is that the use of technology is going to increase.

Force#3: Outsourcing is not going away

Let's think about some of the things that are commonly outsourced in a community bank

  • Core processing
  • Network management
  • Network security
  • Website design, development, and maintenance
  • Perimeter security

Howabout services:

  • Audit
  • Loan Review
  • Penetration testing

Outsourcing will likely correlate to new services and technologies. In other words, as things get more technical - we'll be more reliant on our vendors to provide the expertise we don't have in-house.

IT makes outsourcing particularly challenging. Let's face it, you can have a Loan Review performed and there may be 10 people in the Bank who have a complete understanding of the report. Not true for an External Vulnerability Assessment. In a small community Bank there may not be a single person who understands the issues in that report. Our risks are elevated. How do we effectively manage processes that we don't fully understand?

Force#4: The potential impact from successful attacks is increasing

Quantifying the impact of an exploit is difficult for a lot of banks. How do we quantify the impact of an attack when we don't fully understand the risks? When community banks talk about the impact of a data breach, they're really talking about the impact from the loss of customer data - GLBA. The reality is there are other considerations that muddy the water and make it very difficult quantify impacts.

Consider a typical community bank website with no customer data on the server. Online banking is outsourced and accessible through a link that redirects to the core processor's site. Pretty typical. Now the Bank's site is attacked and defaced. When users go to the site they no longer see the Bank's site, they see some political message, or pornography, or just a message that threatens users that their information has been stolen. Now, we know that no customer data was lost - the site was simply defaced.  All the important stuff is on the core processors system.

But consider this...

Quantify the impact from the publicity of that attack.

Count on being in the newspaper. Will it impact your ability to get new business? Are you a publically traded company?  What will the impact be on your stock price?

Quantify the impact to your reputation with yourexisting customers.

Is it enough that they'll move down the street when that CD matures? You can bet the regulators will notice. How much will it cost you to prove remediation to them? You'll need an assessment, penetration tests, possibly a code review, and maybe even a management study. They may make you appoint an Information Security Officer if you don't already have one. Risk is more than customer data.

Force#5: The audit process has remained largely the same

In community banks, the process of validating the adequacy of IT security has traditionally been completed through Audit. Audit is a control that validates the adequacy of other controls. But, even given the trends we just talked about- at many community banks, the audit process has remained largely the same. A typical IT audit focuses on controls as they relate to policy and procedures. The general consensus is that the complexity of modern IT infrastructures requires more. Check out my post here for a more detailed discussion on the more.

What does it all mean?

Instead of thinking about the forces on an individual basis, consider them all together.  This is the reality of IT in community banking:

  • Increasing attacks and sophistication.
  • Increasing use of outsourcing,
  • Increasing use of new services and technologies,
  • Difficulty in quantifying the impacts, which makes risk assessment difficult,
  • And the fact that the audit process hasn't really changed

If there is ever an IT crisis in banking it's going to be the result of multiple converging forces.  As management, you need to think about IT risk holistically. Likewise, the Audit function has to adapt a holistic approach that's capable of identifying risk as it applies to the big picture.


Add a comment

  • Required fields are marked with *.

If you have trouble reading the code, click on the code itself to generate a new random code.


OnCourse Staff

The OnCourse writing staff work to keep you informed about the most pertinent financial industry news of the moment

OnCourse Staff's Posts Subscribe to RSS Feed

Flood Coverage – Still a Hot Regulatory Issue
Interagency Statement on Sharing BSA Resources and Challenges
New Jersey's Corporate Business Tax Legislation: A Look at the Impact for Banks
Correspondent Banking: The Challenges of Data Transparency
Regulation E and Business Account Errors
Controls over Employee and Officer T&E Expenses
Is Regulation CC Put on the Back Burner?
Training – An Investment and Risk Management Tool
Are You Gambling with Your BSA Program?
The Case of Foreign Banks and Heightened Scrutiny
IRS and New Jersey Tax Audits of Banks
State Taxation of Financial Institutions in Today's Environment
Does your 401(k) Plan need an Audit?
De-Risking of Foreign Correspondent Banks
Same Day ACH Credits – Phase One
FinCEN Finalizes Ruling on Beneficial Ownership and Ongoing Customer Due Diligence
Keep an Eye On Your Chip!
Is the IRS Status of your Defined Benefit plan in Jeopardy?
The Dilemma of Banking Medical Marijuana Businesses and Other Indirect Risks
Is your Institution Monitoring Working Capital Lines of Credit?
Financial Reporting and Regulatory Update on the Horizon
BSA/AML Training: Is your program effective?
Planning in a Consolidating Banking Industry
To opt-out or not to opt-out, that is the question – A reminder on March 31, 2015 Call Report, Schedule RC-R, item 3.a
Anti-Money Laundering – The Age of Technology
Top Compliance Topics Discussed at the NJ Bankers Compliance University
Some tips and tricks for dealing with Regulatory Examinations
Updated Regulation E Booklet from the OCC!
Is Flood Disaster Still on the Heat Map?
Have You Implemented Your Plan yet?
FDIC Consumer Newsletter
More Flood Insurance Changes...
Same Sex Married Couples - Ensuring Equal Treatment – Announcement from Consumer Financial Protection Bureau
Truth in Lending (Regulation Z) Annual Threshold Adjustments (CARD ACT, HOEPA and ATR/QM)
FFIEC Releases Revised BSA/AML Examination Manual: So what’s new?
OFAC Consolidates Non-SDN Listings
Coping with HOPA
Coping with the CFPB’s Ability-to-Repay Rule
ABA Survey on Impact of Dodd Frank Compliance
ABA Mortgage Origination Deskbook
Who handles Your Dormant Accounts?
Appraisal Disclosure Rule
Cybercriminals Broaden their Attacks in Social Networks
The Importance of Segregating a Bank’s Credit Function from its Lending Function
Appraisal Management Companies in Regulatory Crosshairs
All About the Home Owners Protection Act
Requesting Current Financial Information
Countdown to Windows XP End of Life and Support: Are you still at Risk?
314(b) Distinct Advantages for Financial Institutions
Where is the Document?
Building a Better Hen House
Ready the Ramparts! : IT Security and the Modern Bank
The Credit -- Er, IT Crisis?
Keeping the Balance: IT Security and the Org Chart
IT Security: "IT's" About Process
Wag the Dog
Consumerization of Technology and its influence on Information Security
Detective, Reactive and Preventive: Evolving Your IT Security
Do You Know The Security Features of the New $100 Bill?
Segregation of Duties for Wire Transfer Processing
How do you charge Early Withdrawal Fees on Time Deposits?
Do you still offer NOW Accounts?
Policy Changes Required – Do you Wait until Annual Approval?
Summarizing ACAMS White Paper on EDD and AML Risk Assessments (Industry Survey)
ACAMS to provide Free Webinar
ACBB Changes its Name
Who Do You Give Cash to?
ABA Briefing to Help Banks Address Cyber-security Threats
The OCC Issues Booklet: “A Common Sense Approach to Community Banking”
Safe Deposit Box Contents are not insured – But They COULD Be!
Allowance for Loan Loss Tips and Tricks
FDIC Can Review New Products
Let’s Talk About Overdrafts!
Community Banks Slowly Warm Up to Private Student Loans
Has your Bank updated the Adverse Action Notice?
Regulation E and NACHA Rules: When you Want to Stop Payment on a Recurring Debit
CFPB Stands Up Against Poor Debt Collection Practices
Don’t Forget the Small Stuff
Double Endorsed Checks: What is the Risk?
Social Media – Will the Regulators Do Spot Checks?
How Does Your Bank Handle Customer Requested Maintenance Changes?
OCC Releases Booklet on "Common Sense" Community Banking
New SAR Filing Updates
Is your BSA/AML automated monitoring system up to par?
The Importance of BSA Training
Office of Foreign Assets Control (“OFAC”) introduces the OFAC SDN Fuzzy Logic Search Tool
Filing the New CTR Forms: What you need to Know
FFIEC Proposed Risk Management Guidance on Social Media: Beware and Prepare
Solutions to Reducing Dormant Accounts at Your Institution
Pandemic Preparedness: Are you testing your Pandemic Plan?
Regulation E Foreign Remittance Rules
FFIEC issues revised “Supervision of Technology Service Providers” booklet
Expiration of Unlimited Deposit Insurance for NIBTAs
Is Your Institution's Marketing UDAAP Compliant?
What is Enterprise Risk Management?
New OCC Guidance Released on Investor Owned Properties
Electronic Work Papers - Why acxell Made the Switch
OCC to Toughen Exams in Response to United States Senate Permanent Subcommittee On Investigations
Clarifying Regulatory Obligations Regarding Continuing Activity SAR Filings
Federal Regulatory Agencies Proposal New Rule
Risk management - Smaller institutions and the benefits of ERM
Strengthening Your Loan Maintenance Monitoring
New Lending Proposal from CFPB
FDIC Reaches Settlement on Overdraft Fees
FRB Guidance on Foreclosures
Loan Denials and Withdrawals – Tips to Sure Up your Process
Regulation O – 5 Easy ways to avoid violations
The Summer of CFPB Proposals
Community Lenders Seize Market Share From Big Banks by Using Advanced Online Lending Technology
Dodd-Frank Rule to Change Legal Lending Limit Monitoring Requirements
The ABCs of a TDR
Supreme Court ruling for the Freeman, et al. v. Quicken Loans, Inc case
New FinCEN Guidance for CTR Aggregation for Businesses with Common Ownership (FIN – 2012 –G001)
Senior member of House of Financial Services Committee Introduces Overdraft Protection Act
FinCEN is looking to streamline the financial institution reporting process by issuing mandatory E-filing reporting requirements.
Curry: Operational Risk Now OCC’s Top Concern
JOBS Act Client Alert - Rules 506 of Regulation D
New Rules Proposal for Servicers Coming from the CFPB
Wall Street Receives Volcker Rule Clarity
De-stressing with stress testing
Banks Participate in Information Sharing to Battle Online Theft
IT security: Is your program still effective?
Banking Solutions: ALLL and GAAP in Agreement
How are the most recent regulatory enforcement trends that banks are facing today affecting internal audit? Why?
What are the most recent regulatory enforcement trends that banks are facing today?
Mobile banking: How do we get there?
UBS further struggles with $2 Billion loss by Rogue Trader
Capital One Becomes Dodd-Frank Test as Nation’s Fifth Largest Bank
Community Banks to receive US Funding for Small Businesses
FDIC fields questions about overdraft guidance
Negligent Hiring – A mistake can cost more than just money!
Regulatory Burden – Managing the Pain
From Embezzlement to Imprisonment: Former Citigroup employee faces charges with $19.2 million in bank fraud
TDR or Not to TDR …Much Ado about Nothing?
Finding the Right Hire
Model behavior: Is your ALM model capturing your bank’s risks?
ALLL best practices: Pay attention to qualitative factors
Abandoned Property Law, and its new New York State of Mind
Consumerization of Technology and its influence on Information Security
FDIC releases Provisions on Dodd-Frank to help Community Banks
Social Media in the Employment Arena – It Gets Funky!
The Proof is in the Pudding: Affects of Dodd-Frank on Community Banks
Banks and Businesses get "swiped" over Fees
A little bit of this, and a little bit of that: Fed Unveils list of Banks Helped during Financial Crisis of 2008
IT Security: "IT's" About Process
To Test or Not to Test; That is the Question
2011 Failed Bank List Hits 25
Wag the Dog
Committee on Financial Services to Hold Hearing on the Effects of Dodd-Frank on Small Biz and Banks Today
2011 Failed Bank List up to 18
A Culture of Whatever: On the Path to Proper Governance
The Test Drive: Leasing or Buying a HR IT Platform
Detective, Reactive and Preventive: Evolving Your IT Security
Cracking the ALLL Code: How to Develop the Right FAS 114 Methodology
Double Digits: Bank Closings up to 11 in 2011
FCIC Releases Report on the Causes of the Financial Crisis
Part of the In Crowd: Thoughts on the Dodd-Frank Act
Another One Bites the Dust: Regulators Close 4 Banks
Keeping the Balance: IT Security and the Org Chart
On Notice: FDIC Issues Rule for Temp Unlimited Deposit Insurance
2011 Failed Bank List Up to 3
Welcome to OnCourse
Stick 'Em Up!
Time for a Tune-Up: The Necessity of a HR Audit
Visa Instituting Two-Tiered Debit Card Interchange Structure
The First Failed Banks of 2011
The Credit -- Er, IT Crisis?
Painting a Masterpiece: The Art of the ALLL Reserve
The Law on Your Side: Understanding HR Regulations in 2011
Building a Better Hen House
Ready the Ramparts! : IT Security and the Modern Bank
No Respite from RESPA