OCC Warns Banks on Cybersecurity Issues; Experts Share Their Advice

Cyberattacks on bank data, including ransomware incursions that can deny a financial institution access to its own digital information, are an increasing operational risk, an industry regulator and cybersecurity experts warn. 

While most have adapted to employees working remotely during the COVID-19 pandemic, banks need to be especially mindful as hackers more aggressively attempt to break into computer systems from various points of entry, they say. 

“Banks should remain vigilant concerning cybersecurity control and risk management practices as banks face continuous threats from cyber actors,” the Office of the Comptroller of the Currency stated in its autumn Semiannual Risk Perspective. “These actors have become less inhibited and more sophisticated with their knowledge of the financial institution operations and vulnerabilities in bank applications or systems.” 

In addition to exploiting system susceptibilities, cyber crooks are using exploitation methods like phishing emails and credential theft to compromise bank systems, and examiners continue to identify concerns with bank information technology security, the OCC said. 

The pandemic has made the situation worse. 

“Cyber criminals prey on fear and urgency and general mass concern. So the coronavirus, this global pandemic that we’re dealing with, really is the sweet spot for those folks – particularly in sending out mass phishing email scams,” said Jon Waldman, co-founder of SBS CyberSecurity, a Madison, South Dakota firm that works with many financial institutions. “One out of every three phishing scams today are COVID related.” 

Waldman said that during the March-through-April stretch when coronavirus fears initially peaked, there was a 667% rise in phishing emails in the U.S. 

Phishing – a technique in which a cyber thief sends emails in the hope of duping an unsuspecting victim into turning over private information like email or system passwords – often is the easiest route for busting into a data system. 

Rather than use a highly skilled hacker to try to break through a company’s firewall, organizations can send authentic-looking phishing emails that trick the recipient into clicking on a link that opens the door to a data takeover. 

“The weakest link is the person who hasn’t been informed well enough or trained well enough or educated well enough that you don’t click on links that were not expected,” said Ken Shaurette, director of info security and audit for the Madison-based bank services firm FIPCO. “I’ve seen some extremely crafty ones. They will even fool the experts when they’re well done. And one time is all it takes.” 

In one common ruse, a hacker infiltrates actual email accounts from a title company or real estate brokerage. The crooks might then send, for instance, an email to a homebuyer who is getting ready to close on a mortgage, telling him or her the location where funds should be wired has just changed. 

“It’s coming with an actual email address. You — as a homebuyer — how do you know that wasn’t legitimate?” Shaurette said. 

In its report, the OCC warned that the financial sector continues to see an increase in ransomware attacks with cyber actors using phishing emails as the main attack method. 

In a ransomware attack, the cyber crook finds a way into a company’s system and then encrypts important data and demands money, typically via Bitcoin, to provide a key that unlocks it.  

“Recently, cyber actors have elevated their tactics to not only target and encrypt bank data while compelling payment but also threaten to auction or publish customer information on the dark web,” the OCC said. 

Banks should have a clear understanding of the impact of a ransomware attack and the potential effects on the banks’ customers and third parties, the OCC said. Dealing with breaches often comes at great cost – both financial and to customer relations.  

“Given the nature of what they do, if banks can’t recover because they don’t have appropriate backup or secured backup systems in place, they are likely looking at a scenario of ‘Well, how do we get our data back?’ and that could include paying the ransom,” said Tom Wojcinski, a director in the risk advisory services practice of the Milwaukee-based accounting and consulting firm Wipfli. 

Although authorities say companies never should pay the ransom to regain access to their data, some do. 

“If nobody paid the ransom the market would evaporate and it would stop being a thing,” Wojcinski said. “But people are paying the ransom, so the cyber criminals are continuing to drive innovation of their ransomware. It’s getting better, it’s getting faster, it’s getting harder to detect.” 

Waldman said that when a ransomware group or an attacker gets into a network, they often go 40 to 60 days – and even up to 200 days – without being detected. 

“Which gives the bad guy a lot of time to steal information and then use that as leverage in order to force an additional ransomware payment,” Waldman said. “If you have that kind of leverage, that also means you can ask for more money, and if the company doesn’t pay the ransom, then they threaten to post the data.” 

What is a typical ransom demand to a business? 

“Probably at the beginning of 2019 the average was $30,000 to $50,000, and today it’s over $200,000 on average,” Waldman said. “If you’re a bigger company, then it’s usually seven figures.” 

Given the immense hassle and cost of dealing with a ransomware takeover – and many other types of cyber intrusion – prevention and detection are crucial. 

Experts say companies need to be especially wary during a time when more employees are working remotely instead of in a building where data systems are assumed secure. 

“It’s taking employees that were once on a ‘trusted’ system in their office and potentially moving them out to a personal computer that now has not had the same kinds of controls applied to it,” Shaurette said.  

Said Waldman: “Those folks that are working from home are still working with customer information on behalf of the bank, and there’s a big potential exposure there if they would click on a phishing email or get ransomware that goes back to the financial institutions. The big message is: make sure that you use these next few months to plan around securing your work-from-home folks.” 

What are some ways a bank can protect itself against cyber crooks? 

Use multiple data backups. Waldman stressed backing up data, not just with a cloud backup, but also by keeping a copy offline and not connected to the network – safely away from the clutches of criminals. 

“In almost every case that we’ve worked from a digital forensic incident response perspective, any time an organization has had to pay the ransom, it’s because they didn’t have good data backups,” Waldman said. 

Have a strong patch management system. Staying up to date on patches typically prevents many data breaches, Waldman said. 

Train employees to make sure they’re aware of threats. Wojcinski said banks need to “create a culture of security.” 

“When I say create a culture of security, I’m really thinking about how we need to instill professional skepticism in our end users,” Wojcinski said. “And we need people to really think twice to say, ‘Should I click this link? Should I process this wire transfer? Should I do this? Is that the right thing? Let’s ask for clarification.’” 

Use multi-factor authentication. Hackers can steal or buy email credentials. Having another way to make sure the people behind the account are who they say they are can head off trouble. 

Have strong passwords. “Passwords don’t need to be complex. They need to be long,” said Shaurette. “Passwords don’t need to be hieroglyphic. They need to be unique and they should be long – and by long, it should be 15 characters and plus. If I use three or four unrelated words, I’ve got a long password that nobody is likely to ever guess.” 

Use next-generation antivirus software. While traditional antivirus programs rely on a database of cyber threats, advanced antivirus software analyzes a file before it opens to see if it’s going to execute code in a way that appears to be malicious, Waldman said. 

Make sure your security system can quickly identify intruders. This will keep criminals from having extended time in a bank’s network and records, Waldman said. 

Even with preventive measures in place, “You still need to anticipate those will be circumvented or breached somehow,” said Wojcinski said.  

“We’ve got to have monitoring processes in place to identify suspicious network traffic as endpoint detection tools to look for anomalous processes running on workstations,” Wojcinski said. 

If banks build strong cybersecurity systems, compliance with regulators shouldn’t be an issue, Shaurette said. 

“If you’ve built based on strong industry standards and continue to mature it – it’s a journey, not a destination – you will be compliant to any regulation that ever comes along,” he said. 

FIPCO is a WBA subsidiary and a WBA Gold Associate Member. 

SBS CyberSecurity is a WBA Bronze Associate Member.

Wipfli is a WBA Silver Associate Member. 

By, Alex Paniagua