By Scott Birrenkott

WBA filed comments this week with FRB, FDIC, and OCC (agencies) on their proposed guidance on managing risks associated with third-party relationships (proposal).

Over the years, the agencies have issued guidance on third-party management for their respective supervised institutions. The agencies have issued the proposal in an effort to promote consistency in their third-party risk management guidance and to clearly articulate risk-based principles on third-party risk management. The proposal is based on the OCC’s existing third-party risk management guidance from 2013.

WBA commented that the proposal presents a welcome opportunity to consolidate and update each agency’s individual existing guidance, and generally supported the effort. In addition to general comments reflecting member experiences in third-party management, WBA did recommend that the agencies consider specific examination procedures in accordance with the guidance, and provide banks with sufficient time to adapt to any final guidance.

Click here to view the letter.

Cybersecurity graphic

By Cassandra Krause 

With a recent uptick in activity, ransomware attacks are a form of cyberattack that has been prevalent in recent news — and for good reason. The effects can be detrimental in terms of monetary loss and reputational damage to the victim. Ransomware is a type of malicious software (a.k.a. malware) that usually encrypts a victim’s files, and the bad actors have upped their game to steal the data first, then threaten to also publish the data to the public. Criminals set their sights on businesses with the goal of extorting money, making community banks prime targets. 

Organized crime networks are becoming increasingly sophisticated. In general, the risk of getting caught for cybercrimes is much lower than for traditional crimes like robbery, and the financial gains are far higher. Ransomware developers write and sell the software to other bad actors for a cut of the profits when they deploy it and collect ransom payment, usually in the form of cryptocurrency, which is hard to trace. Compromised data may also be used to open fraudulent lines of credit. 

“The U.S. is in a ransomware crisis right now,” said Jeff Otteson, vice president of sales at Midwest Bankers Insurance Services (MBIS), a subsidiary of the Wisconsin Bankers Association. He explained that it has created a hard insurance market with carriers tightening up on internal control requirements such as multifactor authentication (MFA) for privileged users (users with the ability to install software or change security settings on critical systems) and encryption of backups. 

In their 2021 Cost of a Data Breach Report, IBM Security and the Ponemon Institute calculate that the average total cost of a data breach is $4.24 million, a 10% increase from 2020–2021. The per-record cost of personally identifiable information averaged $180. 

Prevention 

With the incredibly high stakes in mind, banks are dedicating significant resources to preventing malicious cyberactivity, both in terms of staff and money. Respondents to a 2020 Deloitte survey of financial institutions reported spending about 10.9% of their IT budget on cybersecurity on average, up from 10.1% in 2019. In terms of spending per employee, respondents spent about $2,700 on average per full-time employee (FTE) on cybersecurity in 2020, up from about $2,300 the prior year. 

“There is an industry-standard framework for ransomware prevention and all cybersecurity,” explained FIPCO’s Director InfoSec and Audit Ken Shaurette. FIPCO is also a WBA subsidiary. A good consultant will walk the bank through a comprehensive review of their network security, improving endpoint protection to replace traditional antivirus and endpoint detection solutions, including adding authentication improvements such as MFA, improved password strength, and protecting backups. As more and more of the digital tools that bankers utilize require users to download and install software and updates, depending on signature-based solutions for malware detection is not acceptable — it has become critical to safeguard user, file, network, and device-level activities. 

A bad actor gaining access to a bank’s data may encrypt the data and demand payment in exchange for granting access back to the bank. In this situation, having a data backup is essential.  

“The rule of thumb for data backups is 3-2-1,” said FIPCO Information Security and IT Audit Advisor Rob Foxx. “There should be three copies of all data stored on two different mediums. One of the copies should be stored off site.” 

Ransomware prevention is only one part of a complete cybersecurity system. Experts agree that early detection of unusual activity within a system can help keep a minor incident from quickly escalating into a major incident like a ransomware threat. 

“Ransomware isn’t the first attack,” said Wolf & Company, P.C. Manager of the I.T. Assurance Group Sean Goodwin, who recently presented at WBA’s Secur-I.T. Conference. “Ultimately, it’s on I.T. to put controls in place because an employee will inevitably fall for a phishing email. It becomes a question of whether we can catch that quickly.” 

Social engineering remains the greatest concern; it’s easier for bad actors to trick an employee rather than break through a firewall. Verizon’s 2021 Data Breach Investigations Report found that almost half of the breaches in the financial services industry involved internal actors committing various types of errors. The report stated that the financial sector frequently faces credential and ransomware attacks from external actors, 96% of which are financially motivated (followed by small percentages of motives of espionage, grudge, fun, and ideology). 

Goodwin emphasized that I.T. must be able to act quickly when there’s an indication that someone is accessing something they don’t normally access. “Prevention is ideal. If we can prevent it, that’s best-case scenario, but if not, early detection becomes critical,” he said. This area of solution, known as endpoint detection and response, is rapidly becoming a key point of protection from ransomware and all other malicious events. 

Establishing an incident response program within a bank is an important part of the overall cybersecurity program. 

Preparation 

Creating a culture of cybersecurity awareness throughout the bank is important, so that bank employees are prepared for an incident. Employee training on what to do in the event of an attack should be standard practice. Making security part of the organization’s DNA is a best practice. 

“Every bank needs an incident response plan, and that needs to be approved all the way up through the board. Part of this plan is notification of incidents to the insurance carrier,” said MBIS’s Otteson. 

FIPCO’s Foxx emphasized that the roles and responsibilities in the incident response plan must be clearly defined, and banks should revisit their plan regularly.  

“As the insurance agent, I’m the first call a bank makes when there’s an incident,” said Otteson. “It’s important that banks choose to work with an agency that understands cyber insurance.”  

MBIS insures about 220 banks and has access to a large number of carriers that provide the right coverage for their customers. Otteson recommends reporting all incidents as even a minor incident could result in a claim down the line and having reported that incident when it occurred is key to a successful claim. He says to keep in mind that the owner of the data is liable for it whether the incident occurred in house or with a vendor the bank shared customer data with. 

Mitigation 

It’s important to work with the insurance carrier to ensure that all the bases are covered and that the vendors who participate in the response are approved. Not using the cyber insurance carrier’s approved vendors may result in expenses not being covered under the insurance policy. In the event of a ransomware attack, the insurance agent or bank will immediately notify the insurance carrier. Beazley, a carrier partner of MBIS, maintains a 24/7 helpline, which has become common with other carriers as well. Knowing how to report incidents, when to report, and what to expect is key. 

Holidays and weekends are prime times for ransomware attacks: employees who are in a rush to leave may be more likely to click on a bad link, and with employees away from work, it’s easier for the bad actors to get into the network. Even if a problem is detected, it’s more likely that staff who could help put a stop to the attack may be on vacation or unavailable, buying the criminals more time to take over. 

As soon as a cyber liability claim is made, the insurance carrier’s pre-approved vendors come into play.  

“Nobody has the resources in house to effectively manage ransomware attacks,” said Foxx, who has experience working both within a bank and as an external auditor and consultant. The specialization of skills and the amount of people needed to perform adequate analysis and remediation are so significant that even large banks will not have all the players they need on staff. 

If a bank’s data becomes encrypted and made inaccessible, a vendor such as Tetra Defense would be engaged on forensics. Managed endpoint detection and response vendors such as Cynet can help from detection and prevention to response, including providing digital evidence for a vendor performing forensics. Meanwhile, a vendor such as Coveware would handle ransom negotiations with the criminals. Wolf & Company, P.C.’s Goodwin said that you don’t really know who’s on the other side of the transaction — some criminals may be willing to negotiate and others not. He referred to ransomware as a “niche space in cybersecurity that is now getting more attention.” The criminal organizations involved in these types of attacks in some ways act like a legitimate business in that they rely on their reputation and may even have customer service departments — if they fail, it will hurt their chances of getting more business in the future.  

Typically, in the event of a ransomware attack, a legal firm will handle communications and PR for the bank — putting a statement on the bank’s website, assisting staff with customer phone calls, and determining whom to notify. Getting legal involved early protects all communications and discovery with attorney-client privilege. The requirements for notification vary from state to state, and a bank may have customers in multiple states or even other countries, making the expertise of a legal team invaluable. The language used in communications matters, as the term “breach,” for example, can have different legal implications and potentially create larger issues than terms like “incident,” “situation,” or “event.” Education of staff far in advance using regular testing of the plan is a key factor in mitigating an incident. Inappropriate statements made by employees on social media or even at informal social gatherings can have severe ramifications for the bank. 

Follow Up 

While anyone who experiences a ransomware attack may be eager to breathe a sigh of relief and move on when it is over, it is essential to review the incident and revise the bank’s incidence response plan. Assessing what went well and what needs to be improved are critical steps.  

Goodwin also warns that victims of ransomware are commonly re-targeted. A Cybereason study found that 80% of organizations that previously paid ransom demands confirmed they were exposed to a second attack. He said that once a company has paid a ransom it is known that (1) you were compromised, (2) you do not have proper backups of your files, and (3) you were willing to pay. 

Summary 

Cyberattacks are the biggest risk to a financial institution — even surpassing the risk of past-due loans. The cost of a ransomware attack can be astronomical, with many factors contributing to the price tag, including vendor fees and staff hours to resolve the issue; the cost to inform customers and offer identity or other protections; the loss of destructed data; and the down time of the business. All of this, followed by the loss of customers’ trust (and subsequent loss of their business), has the potential to put a community bank out of business.  

There are safeguards banks can put in place, including a sound incident response plan, improved monitoring with better endpoint detection and response, cyber liability coverage, and employee education. FIPCOMBIS, and a wide range of WBA Associate Members are ready to support banks in keeping their data and that of their customers safe.  

Farmers & Merchants State Bank is excited to take another step in the right direction by moving the Smith home to provide space for building the new location of Farmers & Merchants State Bank.

“It’s very rewarding that we were able to be environmentally responsible by moving the home” said Bill Campbell, Bank President & CEO. Campbell went on to say “our bank customers have asked us to have a location in Lake Mills for a long time. We listened and look forward to opening our doors in late 2022.”

The Smiths are happy with the outcome as well knowing that the home will be kept in the family. Alberta McGraw, the most recent home renter, said “the inside of the house is in great condition; it’s really nice that it will be used as a family home.”

Art Zastrow built the home in the mid 1960’s. Originally it was also the location of Art’s Bait Shop where fish tales were told for many years. The bait shop was located in the basement of the home and operated as a bait shop by subsequent owners.

The Smith home successfully made the journey to its new destination in rural Jefferson County on September 23, 2021 traveling at the speed of 20 miles per hour.

Triangle Background

By Fahad Nazer, Official Spokesperson, Embassy of the Kingdom of Saudi Arabia

The relationship between the United States and Saudi Arabia entered a new era on February 14, 1945, when King Abdulaziz Al-Saud met President Franklin Delano Roosevelt aboard the USS Quincy. In the 76 years since, relations between our two nations have continued to deepen and to broaden. Indeed, our partnership is rich and multilayered. It has political, security, cultural, and importantly, economic dimensions that have served the interests of both nations and our peoples. Strong bilateral ties between the U.S. and Saudi Arabia have helped advance stability across the Middle East and have led to decades of economic strength for both Saudis and Americans.

Saudi Arabia’s economic relationship with the U.S. is a critical component of this partnership. The U.S. is one of Saudi Arabia’s largest and most important trading partners. In 2019, there was over $17 billion in trade between the U.S. and Saudi Arabia. While much of the attention on trade has focused on the critical role that Saudi Arabia plays as the world’s biggest exporter of crude oil, the economic partnership between the U.S. and Saudi Arabia has steadily diversified over the years. Today, our economic relationship includes cooperation across high-tech sectors, Artificial Intelligence (AI), sustainable development and green technologies, and even tourism and entertainment that bring our two countries closer together. This economic diversification will further strengthen the relationship and will undoubtedly provide opportunities for companies in both Saudi Arabia and the U.S., including in Wisconsin.

This rapid economic diversification is a key pillar of the historic transformation currently underway in Saudi Arabia known as Vision 2030. Under the leadership of Saudi Arabia’s King Salman bin Abdulaziz Al-Saud and His Royal Highness the Crown Prince, Mohammed bin Salman, Vision 2030 was unveiled in 2016 to serve as a blueprint for developing Saudi Arabia’s potential and achieving our ambitions for the 21st century. While Vision 2030 has impacted all facets of Saudi life, it seeks to develop a thriving economy for the Kingdom through innovation, diversification, and utilizing the Kingdom’s youth power to create a sustainable economy for the future.

For Wisconsin companies, Vision 2030 is an opportunity for generating continued growth and developing new partnerships. Saudi Arabia and Wisconsin companies have already established strong ties. For example, Fincantieri Marinette Marine currently has a multi-billion-dollar contract to build four ships for the Saudi Navy, the Oshkosh Corporation has a joint venture with a Saudi company called Al Tadrea, and according to the U.S. Census Bureau, Wisconsin in 2020 exported $234,237,738 worth of commodities to Saudi Arabia and imported $1,641,938 of commodities that same year. Both of our countries benefit from these business relationships.

Additional opportunities and expanding the existing trade relationship between Wisconsin and Saudi Arabia are essential to the future of the U.S.-Saudi partnership. Our bond with the U.S. is strengthened and improved when every region and state in America is included and prospers because of the partnership. I would encourage Wisconsin business leaders to consider Saudi Arabia as not just a new market for expansion but as a long-term economic partner that can become an important ally for The Badger State, through collaboration, investment, and trade.

Finally, while I hope that my description of the historic transformation occurring in Saudi Arabia is informative, there is no substitute to visiting the Kingdom. I would invite all the newsletter’s readers, all those interested in learning more about Saudi Arabia, our people, and the significant investment and economic opportunities in the Kingdom, to come visit us and to see this exciting transformation for themselves.

For more information, please contact Info.was@mofa.gov.sa.

Triangle Background

By Scott Birrenkott

Q: Does RESPA Prohibit Kickbacks for Referrals Related to Settlement Services?

A: Yes. WBA has received a few inquiries recently regarding Real Estate Settlement Procedures Act’s prohibition against kickbacks and unearned fees, and has created this summary as a quick refresher.

RESPA Section 8 prohibits certain actions related to federally related mortgage loans, including a prohibition against giving or accepting a fee, kickback, or thing of value pursuant to an agreement or understanding (oral or otherwise), for referrals of business incident to or part of a settlement service involving a federally related mortgage loan. There are definitions within that prohibition which help determine what might be covered.

“Thing of value” is defined broadly and can include a number of arrangements. “Settlement service” is also defined broadly and includes any service provided in connection with a real estate settlement. Referrals include oral or written action directed to a person that has the effect of affirmatively influencing a person’s selection of a provider of a settlement service or business incident to or part of a settlement service. For example, if a settlement service provider gives referral sources tickets to attend professional sporting events in exchange for referrals as part of an agreement or understanding, such conduct violates RESPA Section 8.

Certain arrangements, such as affiliated business arrangements and marketing services agreements are not violations of RESPA Section 8. Such determinations are fact-specific, however, and may require discussion with a bank’s legal counsel.

Further resources are available in CFPB’s helpful Real Estate Settlement Procedures Act FAQs.

If you have any questions on this topic or other matters of compliance, contact WBA’s legal call program at 608-441-1200 or wbalegal@wisbank.com.

Note: The above information is not intended to provide legal advice; rather, it is intended to provide general information about banking issues. Consult your institution’s attorney for special legal advice or assistance. 

Triangle Background

North Shore Bank announced it has been named as Newsweek’s Best Small Bank in Wisconsin 2022. The community bank has been providing financial services to local residents for nearly 100 years.

Newsweek’s award winners are selected from among 2,508 financial institutions and assessed on more than 30 separate factors, covering the overall health of the bank, customer service performance and features, digital and branch presence, account and loan options, interest rate offerings and fees. To identify America’s Best Banks, Newsweek worked in partnership with Lending Tree.

“We’re honored to be named by Newsweek as the best small bank in Wisconsin, especially following the hard work and dedication of our employees during this challenging year,” says Susan T. Doyle, senior vice president of retail banking for North Shore Bank. “For the past nearly 100 years we’ve been putting our customers first, ensuring they receive the best choices for lending and banking services along with top-quality customer service, and we’re thrilled to have our commitment recognized in this way.”

According to Newsweek for Best Banks 2022, it recognized that with current low interest rates, it’s all the more important for consumers to seek out institutions that pay a decent rate, while also keeping fees to a minimum, so they keep more of what they earn.

In addition to the 2022 Newsweek honor, North Shore Bank has also received past best-in-banking distinctions from Forbes multiple times.

Founded in 1923 and headquartered in Brookfield, Wisconsin, North Shore Bank, is a mutual savings bank with assets of over $2.5 billion and 45 offices throughout eastern Wisconsin and northern Illinois. Wisconsin locations are in metro Milwaukee, Germantown, Ozaukee County, Racine, Kenosha, Appleton, Menasha, Green Bay and surrounding areas, Burlington, Union Grove, Muskego, and Door County. Locate a North Shore Bank office. You can also connect with the bank on LinkedIn, Facebook, Twitter, Pinterest, Instagram, and YouTube.

Badger Bank is pleased to announce the promotion of Sydney Algiers as Branch Manager/Loan Operations Manager. Algiers will assist with loan operations functions in addition to her responsibilities as a branch manager.
Algiers recently celebrated her 5th anniversary with the bank. She started as a part-time teller in August 2016 and became a full-time teller in December 2016. In June 2018 she joined the loan processing department. She has been located at the Johnson Creek branch for her entire career with the bank, and as native of Johnson Creek has been in the area much longer than that!

“Sydney has demonstrated her talents and capabilities during her first five years with the bank, and we are very proud of her career progress.” Stated CFO of Badger Bank, Craig Keleher.

“Our team has really flourished through this pandemic adversity and Sydney will keep that progress going”, said Steve Dehnert, President & CEO of Badger Bank. “I am proud to support the growth of Sydney’s career in her new role.”

We invite the community to join us in welcoming and congratulating Sydney.

Vaccination Card

By Jennifer Mirus, Boardman Clark, a WBA Gold Associate Member

On September 24, 2021, the Biden Administration released guidance regarding the scope of Executive Order 14042 which mandates that employees of covered federal contractors demonstrate proof of full vaccination against COVID-19 by December 8, 2021That guidance is available here.

The guidance lists several categories which, if applicable to an employer, will trigger its obligation to ensure its employees have been fully vaccinated. The guidance defines “contract” broadly to include: “all contracts and any subcontracts of any tier thereunder, whether negotiated or advertised, including any procurement actions, lease agreements, cooperative agreements, provider agreements, intergovernmental service agreements, service agreements, licenses, permits, or any other type of agreement, regardless of nomenclature, type, or particular form, and whether entered into verbally or in writing.” 

This broad guidance left certain questions unanswered regarding which entities qualify as a covered federal contractor. Notably, it is unclear whether banks are considered federal contractors due to their FDIC relationship with the federal government. Because the guidance is written in broad terms, it could be construed to mean that banks are considered federal contractors because they obtain a “service” from the federal government in the form of FDIC insurance and thus have a “service agreement” for the purposes of the vaccination requirement. However, this is a very literal reading of the guidance which may not be how the Executive Order and guidance are intended to be interpreted. Additionally, an earlier executive order regarding minimum wage used a similar definition of “contract,” and there is no clear guidance or rulings that banks were subject to that order.  

Thus, at this time, it is a reasonable conclusion that banking institutions are not covered federal contractors that must comply with the vaccination mandate. More guidance and clarification will be needed before it is clear whether banks are considered federal contractors under the Executive Order.  Banks that have explicit contracts with the federal government likely do qualify as federal contractors, even if they are not federal contractors by virtue of FDIC programs.  

Banks with 100 or more employees might be subject to the anticipated emergency temporary standard under the Occupational Health and Safety Administration (OSHA) that will require COVID-19 testing or vaccination. Details on OSHA’s standard are anticipated in the near future. 

Toni Posto has been promoted to a Personal Banker Team Leader at the National Exchange Bank & Trust office located on West Johnson Street in Fond du Lac.

Posto joined the bank in 2014 and brought with her more than five years of banking and management experience. She will continue to ensure smooth and efficient deposit account set-up and customer service while taking on additional responsibilities as a team resource and trainer.

Posto grew up in St. Louis, Mich. where she attended St. Louis High School. She then went on to earn her Criminal Justice Certificate from Montcalm Community College in Sidney, Mich. Today, Posto resides in Omro and is an active member of the Oshkosh Elks Lodge.

National Exchange Bank & Trust is an independent bank with convenient locations throughout Southeastern Wisconsin. For more information, visit the bank’s website at nebat.com.