How you can be your own best first line of defense against hackers

By Rob Foxx, CCBTO

Depending on how old you are, you will have a different perspective on passwords. The more seasoned professionals would have come in at a time when a minimum of six characters, no capital letters, numbers, or symbols was a commonplace practice. In comparison, passwords today usually consist of eight characters — at least one being one upper case — a number, and a symbol.

With a good computer and access to a vulnerable system, even now those passwords could be cracked by a common tool to brute force into the system in less than six hours. While our technology continues to evolve, unfortunately, so too do the bad actors and threats to our data security.

Digital Security Threats

While some threats are technology based, a consistent number of threats to our passwords are not. Saving a password to a browser is an invitation for trouble. Once you walk away from an unlocked computer, it would not take much effort to log in or even change your credential without your knowledge. There are many tools that can copy these passwords quickly and with very little expertise.

Additionally, those who reuse passwords or only slightly change them is a direct invite to bad actors. If your password was compromised on a common website and associated with your email, someone has that information, and there is a good chance they are going to try it elsewhere. For example, changing a password from Carl!123 to Carl@123 is also risky as a list of passwords associated with users’ names fed into a computer could guess this in seconds rather than hours.

Many people write their passwords down and tape it to a monitor. The inside of a desk drawer, or under the keyboard or mousepad are not much safer a hiding spot.

As many of us are aware, sharing passwords is a bad idea from an accountability point of view. Once someone else has it, you can no longer secure it from being written down or re-shared.

Be aware if your passwords or accounts have been breached in the past. The website have is a staple for those in the information security field. This allows you to check if both passwords and email accounts have been used or discovered in past breaches.

Additional Protective Steps

Like many threats, the best answer is in the hands of the people most at risk. With a little education and a few resources, you could be on your way to making yourself an unappealing target.

  • Multi-Factor Authentication

Multi-Factor Authentication (MFA) is the latest and greatest in terms of locking an account if available. It requires a token or application on your phone to give a random code that matches up to a login service. Using MFA makes unauthorized access very difficult.

  • “Real” Passwords

The NIST (National Institute of Standards and Technology) in their 800-63 publication points out that complexity does not matter to a computer. It only makes it harder for users to remember. Password length makes it exponentially more difficult for a computer to guess or break a password that has not been breached. A 15-character password with all lowercase letters would take a computer an estimated 12 million years to breach. Passwords can be as simple as three unrelated words or based on items found on your desk — coffeelampmouse is a good example. The internet is filled with random password generators, but they are only of limited use as the passwords they generate are impossible to remember.

  • Password Vaults

Password vaults are very reliable and inexpensive or free. They can make and save passwords for you requiring a single password to access all your other passwords. Additionally, they can generate passwords for you. This removes the requirement to come up with something new every time you make a password. Some vaults are cloud based, and for those who are looking for a business version or an entirely offline vault, these are also available.

Armed with the knowledge of the problem and the tools presented you can use them to be your own best first line of defense against people trying to take over your digital life. You would not choose a lawyer, doctor, or bank officer who barely meets minimum requirements to do something important, so do not skimp on the passwords that secure your data with a minimum requirement either. If you have questions, feel free to ask your local IT or information security professional — they are generally very happy to help people safeguard themselves, as it makes their lives easier as well!

Foxx is director – infosec and IT audit services for FIPCO, a WBA Gold Associate Member.

The rapid growth of synthetic identity fraud

By Hannah Flanders

Like many aspects of our day-to-day lives, the expansion of technology has both enhanced and complicated the ways in which we operate. As more and more of our information lives online, identity theft — once more likely to occur because of a stolen wallet — has also assumed a digital appearance: synthetic identity theft.

What is Synthetic Identity Fraud?

Synthetic identity fraud is defined as the use of a combination of pieces of personally identifiable information (PII) to fabricate a person or entity in order to commit a dishonest act for personal or financial gain.

This form of identity theft has allowed bad actors to combine a stolen Social Security Number (SSN) and other false information — such as a fake name, address, date of birth, or phone number — to create a counterfeit identity to steal funds, escape prosecution, or any other number of criminal and fraudulent activities.

An Alarming Trend

In 2020, the Federal Bureau of Investigation (FBI) named synthetic identity theft as the fastest growing financial crime in the United States. Fraud targets are often those who do not typically use credit or are less likely to monitor their credit activity — including children, homeless individuals, and the elderly. These victims may find themselves blindsided as fraudsters create a new identity, apply for credit, and after years of building good credit by making payments for a time, abandon the account without paying anything back to the financial institution.

While this type of fraud is already difficult to detect due to its elusive or “normal” nature, many bad actors go to incredible lengths to appear as such, states Forbes. In addition to establishing good credit by making payments quickly and on time, some create digital profiles or use P.O. boxes for addresses.

Not only has technology and access to the dark web made PII more accessible to fraudsters, in 2011 the Social Security Administration (SSA) began randomizing the nine-digit social security codes rather than assigning them to individuals based on their geographical location and group number. No longer do social security numbers raise red flags when enrolling or opening accounts “out of state.”

As online banking grows in popularity, so too do concerns for synthetic identity theft. Between prevalent phishing schemes and heightened risks for data breaches — accessing PII and conducting synthetic identity fraud has become much easier than in years prior.

How to be Proactive Against Bad Actors

Inconsistent categorization and reporting make it difficult to identify and mitigate this type of fraud — as far as banks and credit bureaus can tell, these individuals are just like anyone else. . . until they “bust out” or abandon the maxed-out account with no intention of repayment.

After abandoning the false identity’s account, a fragmented file is created. This additional file not only becomes associated with the original SSN but also holds the additional credit report information and other fabricated PII. Unfortunately, this information could negatively impact the credit rating of the real individual.

When working with customers, bankers should advise frequent credit report checks or freezing unused credit at credit bureaus throughout the U.S. as to deter criminals or catch them early.

In addition, customers may take additional steps to protect themselves and their family against synthetic identity theft. One way parents can protect their children from fraudsters is by requesting their child be added to their credit profile. By adding a child to an adult’s credit profile, not only does the child’s own credit profile become established in his or her name and SSN, but the child is also able to begin building their credit.

The Cost of Synthetic Fraud

While victims of identity theft typically are not liable for fraudulent purchases or accounts, as long as they can prove they are the real SSN holder and not the thief, banks and other financial institutions are left to absorb the cost. This scheme is not only incredibly costly to banks across the country — with losses estimated at $20 billion in 2020, according to the Federal Reserve Bank of Boston — but gaps in the U.S. Fair Credit Reporting Act may have also increased the likelihood of repeat offenders.

The Federal Reserve has reported that bad actors are able to ‘flood the financial institution with an overwhelming number of claims’ on their fake accounts, and when creditors are unable to fulfill the investigation in the allotted timeframes, the disputed item is removed from the false credit report and time and time again, fraudsters get away with the act.

“Synthetic IDs are a struggle for community banks to identify,” states Lenore Breit, vice president – compliance manager at Wausau’s Prevail Bank. “Based on a recent presentation, [community banks] most likely have synthetic ID fraud in their deposit and loan accounts that remains undetected with traditional third-party ID verification programs that most community banks use.”

“There are other, more robust ID verification programs available to detect synthetic ID fraud,” adds Breit. “But they are costly and may not interface with legacy software.”

One such software program, the electronic Consent Based SSN Verification service, was created in part by the Economic Growth, Regulatory Relief, and Consumer Protection Act. The electronic service offered by the SSA was created in 2018 to aid financial institutions in combating synthetic identity fraud and verify an authorizing individual’s name, date of birth, and SSN against the SSA records. Services are based on the annual transaction volume and can cost thousands or even millions of dollars.

Common Signs of Synthetic Identification Theft

While difficult to trace, there are a few significant ways bankers can remain attentive to PII and other key indicators of synthetic identity fraud.

Most obvious is ensuring all SSNs match to the PII given. Do not assume a name change or relocation; ask questions or require verification for the sake of your bank and the security and privacy of all customers. This extra step could make all the difference in protecting the personal information of every customer.

If an account is already open, bankers should note applicants who have the same contact information or SSN as well as those with multiple authorized users.

As synthetic identity fraud becomes increasingly prevalent throughout the U.S., it is critical, for the safety of customers and security of all financial institutions, that Wisconsin bankers are prepared to combat this emerging fraudulent activity, caution community members against sharing unnecessary personal information with others, and assist individuals in regaining their rightful identity if necessary.

If you are interested in learning more about synthetic identity fraud, how these schemes can impact your bank or customers, or more ways you can take a stand against bad actors, please contact WBA’s Legal Team at or 608-441-1200.

Dan PetersonBy Daniel J. Peterson

As technology continues to advance faster than ever before, the importance of staying up to date on the latest trends and best practices for the safety of both the bank and its customers is quickly becoming the number one concern for Wisconsin bankers.

As the last several years have shown, a growing number of consumers throughout the state rely on technology and online banking for their day-to-day needs. It is critical that, for continued success and relevance of our industry, bankers are aware of not only how best to serve our customers through offering modern banking amenities, but how to best protect our communities from increasingly more sophisticated — and prevalent — fraudsters.

For this purpose, in addition to ensuring that all Wisconsin banks remain a safe, secure place for finances and sensitive information, the Wisconsin Bankers Association (WBA) will once again host a combined Secur-I.T. & BSA/AML Conference. The conference specifically targets BSA/AML, operations, security, and technology banking professionals looking to remain educated on our ever-evolving industry.

This year’s annual conference will be held September 20 and 21 at Glacier Canyon Lodge in Wisconsin Dells and features a unique variety of speakers. From local professionals and WBA Associate Members to world-famous cyber security expert and ethical hacker Bryan Seely, WBA’s Secur-I.T. & BSA/AML Conference will assist banking teams in understanding how best to protect against hackers, what trends to watch for in money laundering, and so much more. This is an event you don’t want to miss!

By engaging in conferences such as WBA’s Secur-I.T. & BSA/AML Conference, bank leaders can ensure their staff is gaining the most relevant and up-to-date banking-related information from the most knowledgeable individuals in the industry. Along with over seven hours of presentations focused on the safety and security of our banks and customers, bankers will enjoy networking with professionals from across the state and meeting with exhibitors offering products and services that help community banks further advance their customer service capabilities.

Please visit to register or for additional details.

Peterson is president and CEO of The Stephenson National Bank & Trust, Marinette, and the 2022–2023 WBA Chair.

WBA’s Secur-I.T. & BSA/AML Conference returns in 2022

As cybersecurity and fraud continue to be rising topics of discussion throughout the banking industry, bankers are encouraged to stay informed on the latest trends experts are seeing and how regulations will continue to impact Wisconsin banks by attending WBA’s annual Secur-I.T. & BSA/AML Conference held in Wisconsin Dells.

The two-day conference — beginning September 20 and adjourning at noon on September 21 — draws over 125 BSA/AML, operations, security, and technology professionals from around the state for over seven hours of educational presentations and networking.

This year’s keynote session will feature Bryan Seely, a world-famous cyber security expert, ethical hacker, author, and former U.S. Marine. Seely became one of the most famous hackers in 2014 when he became the only person to ever wiretap the United States Secret Service and FBI. Before he was caught, he confessed to the two agencies that there was an issue that needed to
be fixed.

Unlike many hackers, Seely is passionate about fighting for consumers rights, privacy, and educating the public about how to stay safe in a constantly changing technological landscape. In this keynote session, Seely will highlight the different ways in which hackers think and the new, creative ways professionals must approach security in order to protect the most critical information of the business and customers.

In addition to this captivating keynote speaker, the Secur-I.T. & BSA/ AML Conference offers several breakout sessions and networking opportunities that will assist banking professionals from throughout Wisconsin in further developing their bank’s customer experiences, BSA/ AML program, security, and technology capabilities as the banking and technology industries continue to evolve.

By Rob Foxx, CCBTO

I frequently get asked, “How do I or my other non-technical staff help keep my institution safe from electronic threats?” Ransomware is the topic of the day, and I don’t know that there will be changes to that any time soon. There are a few things that can make protecting yourself easier. Good security is done in multiple layers of defense and requires participation of all members of your team.

Involve Your Whole Team

Cybersecurity is the responsibility of all members of the business, not just IT. To that end, everyone needs to know what common tactics are used to compromise your security. Learning how to identify phishing emails as well as business email compromise and reporting these types of events could be the difference between fighting a breach or dodging one. This kind of mindset has been in physical security for a very long time, but it has been a lot slower to be adopted into data security. By educating your staff and yourself and reporting it to the right people in your organization, you can avoid a very common but costly pitfall.

Ensure System Maintenance is Up to Date

The next item is a task that IT performs but is something leadership should both understand the basics of and require accountability for. Keep your systems updated and patched. An alarming number of breaches over the years could have been prevented by simply keeping systems up to date. Microsoft pushes out Windows patches the second Tuesday of every month, which should be reviewed for issues with your environment and deployed as soon as possible. There are tools that make this very easy to perform should you invest in them. Less obvious patches to other software like Adobe Reader, Google Chrome, and even your remote connection software, are equally important. Keeping an inventory of your software assets and checking them regularly for updates and patches can reduce your attack surface. Updates should not only be done, but they should also be reported to management and/or the board of directors at a regular frequency.

Secure Your Passwords

Get secured passwords or, if possible, multi-factor authentication. Insurance companies offering cyber insurance policies are pushing for people to utilize tools such as authenticators on your phone for multifactor authentication. While this is ideal, it may not be in place in many institutions. The National Institute of Standards and Technology (NIST) security framework used by the U.S. Department of Defense recommends longer passwords (16+ characters) without complexity and no expiration unless you have reason to believe it was exposed. Passwords can be as simple as picking out 3 random words such as doorbluecomputer. This is easy to remember and difficult for a computer to guess. If you can’t use multifactor authentication, using a password manager can enable you to use many complex and long passwords that you could never otherwise remember.

Give IT and Security a Seat at the Table

Bring IT and information security into your decision-making process. If this is something that is not being done currently, consider adding these people to the team that makes your highest-level decisions. They will have a perspective on additional costs as well as potential problems and conflicts that may occur. While they may not represent the majority of your staff or income, they speak for a considerable portion of your assets. There are few things as frustrating as going forward with a new project and not having considered how it will work with the rest of your environment or whether you have the hardware or software to support it without extra expenditure of assets. Additionally, there are many problems that exist within a business that your more technical staff could offer a solution to that the rest of the staff may not have known about.

Keep Up With Advancements in Technology

Don’t let technology outpace you. New technologies come out every day, and while you’re not expected to be on the leading edge, you should at least keep a healthy pace with it. For example, if you are using a conventional virus scanner, you are already behind the times. Zero-day exploits (bugs that are either unknown or unpatched) and fileless malware and viruses are also not detected by traditional antivirus products. Fileless attacks are becoming more prevalent, and you can get them any number of ways. It could be as innocent as going to a website and without any need clicking or downloading — without your permission, you could have brought an unwanted problem to your institution. Though a bit on the pricier side compared to traditional antivirus, next-generation products in this field are far more capable than their older counterparts.

Most of the items presented are of a non-technical nature and should be part of making your staff work well with your information security team and vice versa. In our more modern environments of work from home, it is more important than ever to make cybersecurity a part of everyone’s day to day.

Foxx is information security and audit advisor for FIPCO, a WBA Gold Member.

By Paul Gores

With cyberattacks on U.S. businesses a possibility as Russia’s war against Ukraine rages on, financial institutions need to make sure their cybersecurity measures are first-rate and up to date, experts say.

The White House has warned that Russia could try to disrupt digital operations and damage the U.S. economy in retaliation for sanctions against Russia after its invasion of Ukraine.

Ransomware attacks on U.S. businesses, some based in Russia, already have been growing in recent years, and recently, the FBI said it discovered and secretly removed malware that hackers from Russia had placed in computer systems worldwide. Some American leaders think Russian President Vladimir Putin still has plans to try to inflict a major cyberattack.

If he does, banks that have been diligent and proactive about protecting their systems from hackers should be less vulnerable to the chaos a cyberattack could cause, experts say.

Banks need to make sure they’ve taken inventory of all of their technology assets and are doing what they can to keep them safe from attackers.

“Know what those assets are — all your software, hardware — and then from there follow your basic cyber hygiene,” said Scott Noles, assistant vice president and information security officer for Mukwonago-based Citizens Bank. “Are they up to date? Have you patched them? Do you have end-of-life software? Do you have anything that’s in your environment that shouldn’t be? Those I think are really mission critical.”

While many assume the Russian government would want to target the biggest banks and core processors to cause the most disruption to the financial system, infiltrating a bank of any size would be a win for attackers, experts say. That’s why it’s important for community banks to ensure techniques cyber crooks often use to bust into an institution’s system, including phishing emails that can be the gateway to a system takeover, will run into a tough defense. Training employees not to respond to infecting emails, whether in the office or working remotely, is one important step.

“Everyone’s digital life, whether it’s at work or at home, is intertwined now,” said Ian McShane, vice president of strategy for the cybersecurity firm Arctic Wolf Networks. “You can get compromised at home and have that lead into your work life as well. Just because you close the door on your laptop at work doesn’t mean you don’t need to remain vigilant. It can be a risk to businesses wherever you are.”

McShane and others stressed that multifactor authentication is crucial. With multifactor identification, users must submit two or more pieces of evidence to verify their identity in order to gain access to a digital resource. An organization must at least make sure that all of its information technology workers are using multifactor authentication.

In addition, McShane said, a bank’s IT pros or security officers should take stock of which machines in the system are accessible from the internet.

“And make sure there is a good reason for those machines to be accessible from the internet as well, because they are going to be the first bastion of adversarial activity,” he said.

Jeff Otteson, vice president of sales for Midwest Bankers Insurance Services, said specialty insurance carriers considering coverage applications from banks are requiring multifactor authentication.

“What the carriers are looking for amongst other internal controls, the big key is multifactor authentication,” he said. “And that multifactor authentication expands to all users, but most important are privileged users which are those users that can access critical systems, install software, and change security settings.”

Otteson said insurers also need to know that critical patches and updates are implemented and deployed, and they want servers and back-ups to be encrypted. Without those measures, “They put themselves at risk,” he said.

Banks must always be diligent and vigilant — and that was expected even before the Russian threat in the wake of the Ukraine invasion.

“There is no institution that’s immune from a potential cyberattack,” Otteson said.

The security measures of vendors that have access to bank data also have to be airtight, said Jeff Kurek, vice president, information services and cyber security for Park Bank in Madison. He said vendors ranging from those managing IT all the way down to the bank’s HVAC company could put a bank at risk if they have access to the internal system.

“We are heavily regulated, we’ve always had information security programs in place, we’ve always been audited,” Kurek said. “But what about our third-party vendors — the vendors that we utilize to provide us our critical services?”

If Russia were to mount a large cyberattack on the U.S., major infrastructure could be key targets, many believe. But cyberattacks could produce side victims like smaller banks. McShane said most incidents are opportunistic.

“They happen because someone clicks on something that they weren’t aware was weaponized, or it was part of another kind of attack or breach or ransomware campaign, and someone has noticed, ‘Hey, we’ve got access to a bank here,’” he said.

While the main goal of a Russian cyberattack would be to disrupt and damage the U.S. and its economy, extortion could be another result. Ransomware thieves normally try to break into an organization that has the insurance coverage and wherewithal to pay a multi-million ransom — an organization like a bank.

Big banks have the money to beef up their defenses in ways that a community bank might not, perhaps leaving the smaller bank more at risk if, say, the bank has let its software age and it no longer is receiving vendor patches to fix vulnerabilities.

“I think the smaller regional banks or city-based institutions don’t have that same luxury of being able to throw money at it,” McShane said.

But experts said no matter what size the bank is, it has to make cyber security a priority and be willing to spend the money to do it. The downside of a breach or extortion is too brutal, they said.

“I believe that any nation states that they’ll (Russia) be attacking, they will go after the biggest targets possible, but they also realize the biggest targets are the ones that are hardest to get into,” said Noles. “So what they’ll be doing is looking at anybody they can get into.”

The No. 1 method of attack still is phishing.

“They are trying to send you a link to see if they can get somebody to click on it, because then they can get credentials, they can get inside environments, they can install malware,” Noles said.

The cost of cybersecurity is increasing, but that’s just reality in today’s increasingly tech-driven world, experts say.

Otteson cited a Financial Crimes Enforcement Network (FinCEN) report showing that during the first half of 2021, financial institutions reported 635 suspicious ransomware-related activities, or 30% more than all reported activity in 2020. FinCEN said more than $590 million in payments tied to ransomware attacks occurred in the first six months of 2021, up from $416 million in all of 2020.

“(Insurance) rates are going up on these lines because the claims have been going up,” Otteson said.

Noles said vendors also can drive up the cost of cybersecurity by pushing new products. Many banks would be better off making sure they are effectively using capabilities of tools they already have purchased, he said.

“What do vendors have to do? They have to sell a new product. They have to sell a new blinky box or a new tool,” Noles said. “So they’re using what I call FUD — fear, uncertainty, and doubt — to get you to spend more money on their products.”

There’s no question cybersecurity costs will continue to rise.

“Probably eight years ago I saw an article of some sort that said ‘bringing IT from the backroom to the board room.’ That sort of stuck with me,” Kurek said. “And what that really means is that cybersecurity should be a strategy to the organization. It’s not just a keep-the-lights-on thing anymore. Cybersecurity is huge. It’s an inherent risk at this point to any company, and it should really be part of your overall company strategy in my opinion.”

If an incident takes place, banks also need to have a solid communication plan for reacting to it, making sure their lawyers, regulators, law enforcement, and customers are informed as promptly as possible.

“They should have a business continuity plan, and they should have an instant response plan, and they should be updating those regularly and they should be testing them regularly,” Kurek said. “And what a better time to test than now.”

Said McShane: “Nothing is more important in security than understanding you’re going to have an incident at some point, and it’s better to be prepared to know what to do when it happens.

Paul Gores is a journalist who covered business news for the Milwaukee Journal Sentinel for 20 years.

Midwest Bankers Insurance Services is a WBA Gold Associate Member.

Arctic Wolf Networks is a WBA Bronze Associate Member.

Thank You, Ken Shaurette, for 13 Years at FIPCO!

By Hannah Flanders

On December 31, 2021 Ken Shaurette retired from FIPCO’s Information Security and Audit Services after 13 years with the company. Shaurette launched his IT career in 1976 after completing his associates degree in data processing. Over the past two decades, he has also garnered a collection of training courses through venders and trade schools as well as certifications by the National Security Agency (NSA) in Information Assessment Methodology. In 2008, Shaurette was hired at FIPCO to build the Information Security and Audit Service from the ground up as its director.

Shaurette shared reflections on how the industry has changed over his decades of experience. When his career began, data was stored centrally in large computer data centers. Slowly, the industry began to give more processing power and ability to manipulate data to users and as the data became increasingly decentralized, security professionals had to establish improved policies and information security programs that addressed data no longer being stored in a big computer center, but out at the desktops anywhere in the company.

As data collection and storage abilities improved, not only did it become more difficult for all the information to be properly secured, it became increasingly important. Regulations have been created today in order to meet the expectation that customer data is equally protected no matter the size of the bank. “Information security [must continue to be] part of our individual and our companies DNA” says Shaurette. “Without security controls, your business can’t grow quickly.”

Shaurette’s perspective has allowed him to help banks throughout Wisconsin protect themselves against serious attacks that could in turn affect growth, reliability, and profits. Shaurette notes that “when it comes to information security 80% is the same regardless of [the] industry when securing the data, 15% is unique to the [banking] industry, and probably 5% is the social atmosphere of [each bank].”

“Over the course of the years, his expertise and service have been greatly appreciated and well-respected by our customers and members,” says Pam Kelly, president of FIPCO. “His passion and unfailing dedication to information security and our members has helped hundreds of bankers keep critical data secure, avoid attackers, and meet the needs of their own communities. Thank you, Ken, for 13 years!”

In his retirement, Shaurette looks forward to spending time with his grandchildren, volunteering, and — he jokes — not writing audit reports. However, he leaves FIPCO customers with one last message in appreciation over that last 13 years, “I may be boating off into the sunset, but the sunrise of a new generation is transitioning behind me, and you will be left in very good hands with Rob Foxx. I’ll be waiting for you to show up for an information security peer group meeting or networking round table on the pontoon boat someday soon. Those that know me, the refreshments are always ready.”

Ken Thompson HeadshotBy Kenneth D. Thompson, WBA Board chair, president and CEO of Capitol Bank, Madison

January marks the halfway point of my time as WBA chair and as we transition into a new year, there are undoubtedly new things to look forward to as an industry and as an association.

Our successes in 2021, many of which related to the ongoing uncertainty of the COVID-19 pandemic, taught us all valuable lessons I hope can be brought with us into the new year. From low levels of past-due loans throughout our industry to excess liquidity, it’s safe to say that stepping outside of our routine has resulted in spectacular results.

Looking onward to 2022, I encourage bankers to approach challenges with the same curiosity we have for the past two years. As our industry continues to grow, how will each of us lead the way in making Wisconsin banks efficient, diverse, and robust?

WBA has long known that banks are cornerstones in our communities and as such, should be leaders in embracing societal developments. Technology, for both our customers and employees, has been and should continue to be an aspect that sets our industry apart. In embracing these digital channels, banks have a unique ability to meet the expectations of customers while also supporting them with cybersecurity and best technological practices.

Our ability to advance diversity, equity, and inclusion (DEI) efforts, as well as offer flexibility to employees, has the potential to set our industry apart. This is especially important to consider as we navigate through a competitive hiring and retention landscape.

As we all envision a brighter 2022, it serves us to remember that innovative solutions, such as PPP and advances in online banking, have provided our communities with much-needed assistance in the past. We must not be held back by what we are familiar with. This pandemic has taught us all that some of the most effective answers may not be the ones that have been tried before.

It is essential for banks to approach these situations with caution instead of resistance and as always, WBA remains a valuable resource in education, advocacy, and community involvement for each of us as we look forward to what’s to come in 2022.

This year’s event centers around the theme “Rise”

The Wisconsin Banker’s Association is thrilled to announce that the annual Bank Executives Conference will be back in person February 9–11, 2022 at the Kalahari Convention Center in Wisconsin Dells. This is the premiere event for bank leaders in the state. The theme of this year’s event will be “Rise.” Wisconsin bankers have risen to the occasion over the course of the pandemic, and this conference will address what it will take to be resilient and relevant in 2022.


Being back in person opens the door for the kind of networking opportunities that bank leaders have been craving for nearly two years. The conference will kick off with a networking reception on Wednesday evening, but bankers are invited and encouraged to arrive earlier for optional afternoon “banker-only” peer group discussions starting at 2:30 p.m. Peer group discussions are geared toward the roles of CEOs, CFOs, credit and lending, operations, and organizational development. Opportunities to connect with fellow bankers, WBA Associate Members, and WBA staff will be plentiful throughout the conference, with an exhibitor Marketplace providing a dedicated space for making connections.

Executive-Level Education

The WBA Bank Executives Conference brings national experts to Wisconsin, while providing tailored programming specific to the needs of banking leaders in our state. Among the trending topics that will be covered at the conference are:

  • Changes that emerged during the pandemic that are now here to stay
  • Talent recruitment and retention
  • Technology, fintech, and digital transformation
  • Cryptocurrency
  • And more!

New Hybrid Option for 2022 A livestream will allow attendees at the bank to view the keynote sessions on February 10 and 11.

The opening keynote session is titled, “Business as Unusual: How to Future-Proof Your Business in Transformational Times.” In this engaging, provocative, and insightful keynote session, acclaimed global futurist and best-selling author Jack Uldrich will not only discuss how the Coronavirus is transforming the world of tomorrow, he will explain why it is accelerating many of the trends that were already at work prior to the epidemic. History reminds us that great crises produce great change — as well as great opportunities. To take advantage of these extraordinary opportunities, businesses must position themselves now to operate in a world where “business as unusual” is the new “usual.” This session will help leaders at every level of an organization leverage ten “unconventional” techniques to succeed in today’s — and tomorrow’s — transformational times.

Dr. Chris Kuehl, managing director of Armada Corporate Intelligence, will present a keynote session, “2022 – The Real Recovery Year?” That honor was supposed to go to 2021, but we all know what happened over the last several months — inflation, labor shortage, supply chain breakdowns, and the repeated resurgence of the virus. Now we have these lingering issues along with the reactions — higher interest rates, efforts to restore, continued engagement by the government. The bankers have been placed squarely in the middle of all this and expected to do most of the heavy lifting. Does that continue and what can we really expect as far as growth and recovery?

For more details on programming and to view the full agenda, please visit

Banking leaders are eager to rise to the challenges ahead of them, and the conference will provide actionable tools and knowledge attendees can bring back to their banks and communities.


The 2021 Banker of the Year will be announced at the conference, recognizing a bank CEO or president (or an individual who has recently retired from these positions) who has made an outstanding effort throughout their career in service to their bank, to their community, and to the banking profession.

The Wisconsin Bankers Foundation Financial Education Innovation Award will be presented at a special luncheon on February 10. This prestigious award recognizes a bank’s unique efforts to enhance the financial capability of consumers in their community, whether it’s a new kind of educational game for students, curriculum developed for adult seminars, or some other new or innovative approach to financial education.

The 50- and 60-Year Clubs recognize bankers who have served in the banking industry for 50 and 60 years, respectively. These awards will be presented during the special luncheon at the conference to honor professionals who have dedicated their careers to the banking industry.


Ope! Charlie Berens, best known to Wisconsinites for his viral video series, “The Manitowoc Minute,” will perform at the Chairman’s Dinner Program on Thursday, February 10.

Comedian, Emmy award-winning journalist, and Wisconsin native Charlie Berens — who rose to fame from his video series, “The Manitowoc Minute” — will provide the entertainment for the Chairman’s Dinner Program on February 10. Attendees can expect lots of laughs from the author of the recently released book, “The Midwest Survival Guide: How We Talk, Love, Work, Drink, and Eat. . . Everything With Ranch.” Berens has been featured on Fox, CBS, Funny or Die, TBS Digital, Variety, MTV News, and more. In 2013, he won an Emmy for “The Cost of Water” while reporting for Texas news station KDAF. “The Manitowoc Minute” series has garnered millions of views and paved the way for a sold-out standup comedy tour. Geez, Louise, this is sure to be a hilarious show you won’t want to miss!


To register for the conference, please visit We look forward to seeing you Wednesday, February 9–Friday, February 11 at the Kalahari Convention Center in Wisconsin Dells!

As bankers seek resources for how best to manage and mitigate risks associated with ransomware and other malicious code, don’t forget about the free resources offered by the Conference of State Bank Supervisors (CSBS) which include a ransomware self-assessment tool and resource guide.

The Ransomware Self-Assessment Tool (R-SAT) has 16 questions designed to help banks reduce the risks of ransomware. The Bankers Electronic Crimes Taskforce (BECTF), State Bank Regulators, and the United States Secret Service developed the tool. It was developed to help banks assess their efforts to mitigate risks associated with ransomware and identify gaps for increasing security. The tool provides executive management and the board of directors with an overview of the bank’s preparedness towards identifying, protecting, detecting, responding, and recovering from a ransomware attack.

The resource guide titled CSBS Executive Leadership of Cybersecurity (ELOC) Resource Guide, or “Cybersecurity 101,” is tailored to furnish executives with the necessary tools to better understand and prepare for the threats faced by their bank. The guide addresses challenges faced by both banks and nonbanks and is intended as an easily digestible, non-technical reference guide to help executives develop a comprehensive, responsive cybersecurity program in line with best practices. As each bank is different, the advice in the guide can be easily customized to meet each bank’s unique threats, priorities, and challenges. While the resource guide does not guarantee prevention, it attempts to identify various resources — people, processes, and tools and technologies — that, when properly leveraged, work to reduce a bank’s cybersecurity risk. 

Ransomware Self-Assessment Tool

The Resource Guide

Best Practices for Banks: Reducing the Risk of Ransomware (Developed by the Bankers Electronic Crimes Task Force)


FedNow is nearly here! This new payment channel will require proper planning and risk assessment. Join us to learn and prepare for working with the FedNow service while also managing risk and product compliance.

After This Webinar You’ll Be Able To:

  • Identify whether an audit or risk assessment is required for the FedNow service and how to comply
  • Describe the potential fraud associated with faster payments
  • Understand the unique risks of faster payments
  • Take advantage of the fraud controls offered by the Federal Reserve for the FedNow service
  • Establish a foundational understanding of the FedNow rules and regulations

Webinar Details

As we approach the release of the FedNow service in 2023 — the first new payment channel from the Federal Reserve in 40 years — it is important to properly prepare. FedNow instant payments will be different from payment channels of the past. It is critical for financial institutions to understand the risks, controls, rules, and regulations surrounding this new service. Join the Payments Professor, Kevin Olsen, to learn about the risks and fraud that could be involved with FedNow, now!

Who Should Attend?
This session is best suited for directors, managers, compliance officers, and operations personnel.

Take-Away Toolkit

  • Links to FedNow service resources for fraud controls and the FedLine Security & Resiliency Assurance Program
  • Employee training log
  • Interactive quiz
  • PDF of slides and speaker’s contact info for follow-up questions
  • Attendance certificate provided to self-report CE credits

NOTE: All materials are subject to copyright. Transmission, retransmission, or republishing of any webinar to other institutions or those not employed by your agency is prohibited. Print materials may be copied for eligible participants only.


Kevin Olsen, AAP, NCP, APRP, CHPC – VSoft Corporation
For most of the past two decades Kevin Olsen has been managing the development and delivery of education services, including in-person, web conferences, and webcasts. Olsen creates programs, presentations, and articles designed to orient and educate financial professionals on electronic payment topics. As the “Payments Professor,” he brings enthusiasm and motivation to presentations. He views the world as a classroom, which is exemplified in the “edutainment” ed-u-tain-mint (noun: when education is motivating, informative, and fun) style of training he uses to educate and inform all on the latest developments and trends in the fascinating world of electronic payments

Registration Options

  • $245 – Live Webinar Access
  • $245 – OnDemand Access + Digital Download
  • $350 – Both Live & On-Demand Access + Digital Download

The 2023 WBA Security Officer Workshop will be offered in a hybrid format this year. You have the option to attend in person at Glacier Canyon Lodge in Wisconsin Dells or attend virtually via livestream.

Bank Security Officers are responsible for supervising the security program which must address five broad areas: physical security, personnel security, information security, crime prevention and detection, and investigations. This is changing!

Banking has evolved into using more technology for customer interaction which is changing the interpretation of the Security Officer role as well as their focus on bank security.

New questions are constantly cropping up: How are new machines affecting your branch layout and the overall safety of your people? How are personal devices affecting your front line staff’s interactions with customers? Although security is the main focus, what other duties should a security officer be familiar with?

Join us for this full day session that delves into the Security Officer role in modern banking.

Who Should Attend:
This full day workshop is for anyone that is responsible for or interested in Bank Security, including but not limited too Security Officers, Cashiers, Training Officers, Branch Managers, HR Managers, Compliance Officers or anyone that is face to face with customers on a daily basis.

The registration fee of $175 includes program registration, instruction and materials, refreshment breaks and lunch for those on-sight. A recording will also be avalible once this session has offically ended.

Refund Policy:
A refund, less a $25 administrative fee, is provided for cancellations requested on or before March 17th.

If you’ve ever Googled yourself, you know there’s plenty of information publicly available about each person via the Internet at all times. It’s next to impossible not to leave a digital trail OR delete yourself from the Internet these days. The same can be said for your business. What information about your organization, employees, customers, vendors, and software is available via internet search tools? And even worse yet, how can cyber attackers leverage this information to build a specific, target attack against your organization or customers?

Open Source Intelligence (OSINT) is a common method hackers use to perform reconnaissance and create detailed, specific attack scenarios based on your organization. Odds are, a few searches or free tools can dig up more business information that you might initially think is readily available. The more tailored a cybercriminal can make their attack, the better chances they have at compromising your business.

What You’ll Learn

  • The OSINT model
  • Online Cyber Risk Scores
  • How to assess your internet-facing vulnerabilities
  • Other freely available “hacker tools”
  • How to reduce your attack vectors
  • Accepting the risk when necessary

Who Should Attend
Board Members, Executive Team, and Managers responsible for Information Security. Both board members and information security professionals will benefit from this session. Board and Senior Executives will receive a basic review of Cybersecurity and a strong Information Security Program, plus questions to ask of management. Members of the management team will benefit from a better understanding of what the board needs to know, how to communicate it, and tips in creating a strong culture.

Instructor Bio
Cody Delzer, CISA, is a VP Information Security Consultant for SBS CyberSecurity, LLC of Madison, SD who has a Bachelor of Science Degree in Computer and Network Security from Dakota State University and 9 years’ experience in IT and IT Security; 2 years in Systems Operations and 7 years in Information Assurance. Delzer has worked with over 200 Financial Institutions and other private industry organizations across the United States.

Registration Options

Live Access, 30 Days OnDemand Playback, Presenter Materials and Handouts $279

  • Available Upgrades:
    • 12 Months OnDemand Playback + $110
    • 12 Months OnDemand Playback + CD + $140
    • Additional Live Access + $75 per person

The FFIEC Cybersecurity Assessment guidance has introduced a new term for our risk management practice: External Dependency Management. We will explore this new term in our guidance and better understand the requirements provided. This new term is a broader description of vendor management, service provider oversight, third party management, and new requirements around customer risk management.

This session will discuss the following topics:

  • Current regulatory Vendor Management landscape
  • Integrating vendor management into the Information Security Program
  • Risk assessing vendors
  • New vendor or product Selection
  • Ongoing vendor management
  • Creating a DYNAMIC vendor management program
  • Leveraging SOC reports for control understanding
  • Integration of customer relationships into risk management process

Target Audience: Information security officer, IT manager, risk officer, internal auditor, and executives looking to understand the risk vendor relationships

Presenter: John Helland, SBS CyberSecurity, LLC

Registration Option: Live presentation $330

Recording available through February 4, 2023

BACK AGAIN IN 2022: The 2022 Secur-I.T. Conference is now combined with the annual BSA/AML Conference!

The 2022 WBA Secur-I.T. & BSA/AML Conference will be held on September 20-21 at Glacier Canyon Lodge in Wisconsin Dells. The conference will kick off at 8:30 a.m. on Tuesday and adjourn at Noon on Wednesday.

This annual meeting brings together BSA/AML, Operations, Security and Technology banking professionals from all around the state of Wisconsin for education and networking. Attendees will benefit from over 7 hours of presentations from nationally recognized speakers and local professionals; network with more than 125 banking peers; and meet several exhibitors who offer products and services geared to better your bank’s customer experiences, BSA/AML program, security, and technology. You won’t want to miss this great event!

Registration Information

Banker Registration:

The registration fee of $350/attendee includes conference materials, Tuesday refreshments, lunch and reception; and Wednesday breakfast and refreshments. If your bank brings multiple attendees, each person after the first registrant is $300/attendee.

To receive the published discount, you must register everyone at the same time.

Associate Member Registration: 

The registration fee of $450/attendee includes conference materials, Tuesday refreshments, lunch and reception; and Wednesday breakfast and refreshments.

Refund Policy: A refund, less a $25 administrative fee, is provided for cancellations requested on or before Thursday, September 15, 2022.

Exhibitor Registration:

Exhibit Booths are available for $650 for Associate Members and $1,150 for non-Associate Members. Exhibit booth registrations include one attendee. Additional booth attendees can be registered for $250/attendee. Visit the Information for Exhibitors/Sponsors tab for more information.

It seems like fraudsters are always one step ahead. The battle against sophisticated social engineering attacks continues. Are you keeping up? Join us to learn the latest schemes and defenses.

• Identify social engineering exploits that may be successful at your institution
• Understand how attackers are using multiple forms of social engineering to gather information throughout your institution
• Detect suspicious calls that may have been overlooked
• Determine areas that may be susceptible to onsite social engineering exploits
• Take steps to protect against complex threats

The previous year saw social engineering attacks increase in both volume and sophistication. The perpetrators of social engineering (SE) attacks are smart, motivated, and persistent. Phishing emails are by far the predominant SE security breach, but the last year also saw deepfakes (a type of artificial intelligence) being used to create convincing images, audio, and video hoaxes. By using artificial, enhanced voice simulation, fraudsters stole $35 million from a bank in the United Arab Emirates. COVID-19 has forced many institutions to close lobbies for extended periods of time and this has contributed to an uptick in successful onsite SE exploits. A combination of multiple types of SE attacks spread over time has contributed to an increase in SE-related losses. Join this insightful webinar to learn how to confront these threats.

This session is designed for chief information security officers, senior management, call center personnel, operations staff, and anyone responsible for securing accountholder information.

• List of the most common social engineering test failures
• Checklist of defensive measures to limit social-engineering attack effectiveness
• Questions to ask your IT auditor to scope effective social engineering testing
• PDF of slides and speaker’s contact info for follow-up questions
• Attendance certificate provided to self-report CE credits
• Employee training log
• Interactive quiz

NOTE: All materials are subject to copyright. Transmission, retransmission, or republishing of any webinar to other institutions or those not employed by your agency is prohibited. Print materials may be copied for eligible participants only.

John Moeller is a principal at CLA in the IT & Cyber Security Services Group. For over 30 years, Moeller has served the technology needs of financial institutions across the country. His experience includes strategic technology planning, technology and vulnerability/risk assessments, controls reviews, information security and business continuity program development, and board of director training.

Moeller is a frequent speaker on information security, IT assessments and strategy, CIO outsourcing, and managed IT services. He holds several professional certifications, including Certified Information Systems Security Professional, Certified Ethical Hacker, and EC Council – Certified Security Analyst. He received a bachelor’s in Information Technology from Capella University.


  • $245 – Live Webinar Access
  • $245 – OnDemand Access + Digital Download
  • $320 – Both Live & On-Demand Access + Digital Download

What do 36 hours, May 1, 2022, and computer security have in common? They are all elements of the new reporting requirement for cyber security and ransomware incidents. Will you be ready for the May 1 deadline?


  • Implement appropriate practices to discover computer-security occurrences and determine whether they rise to the level of a notification incident
  • Identify critical timing requirements
  • Explain when notification is required to a primary federal regulator and to the banking organization
  • Assess if contractual notification provisions are consistent and compliant with the new law
  • Define a computer-security incident
  • Meet the 36-hour notification requirement after a notification incident

Computer-security incidents targeting the financial services industry have increased in frequency and severity in recent years. In an effort to promote early awareness of emerging threats, banking organizations and bank service providers are now required to comply with mandatory reporting requirements effective May 1, 2022. Proper identification of a triggering incident and timely reporting are critical actions imposed by this final rule.

The reporting requirements expand beyond a cyberattack and include additional types of non-malicious failure of hardware and software, such as a widespread user outage for customers and bank employees. It’s critical that your financial institution understands the various types of incidents that may trigger the notification requirements and develops the appropriate policies and procedures to fulfill the new requirements of this recently issued mandatory rule. Don’t let the 36-hour clock expire without meeting the notification requirement. Join us to learn the details of the final rule and receive recommendations on policies and procedures to assist with mandatory compliance reporting requirements.

Attendance certificate provided to self-report CE credits.

This informative session would best suit compliance officers, information security officers, senior management, business continuity officers, and those responsible for oversight of critical third-party servicers.


  • Checklist to aid in making required notification decisions
  • Required notification record
  • Fact sheet explaining the critical components of the final rule
  • Employee training log
  • Interactive quiz

PRESENTER – Molly Stull, Brode Consulting Services, Inc.
Molly Stull began her career as a teller while working on her undergraduate degree and has continued working in the financial industry ever since. She has experienced the growth of a hometown bank, branch mergers, charter changes, name changes, etc. Stull has activated business resumption plans, performed secondary market quality control reviews, processed wires, filed SARs, and coordinated reviews with external auditors and examiners. Her favorite role has always been educating staff and strongly believes that if staff understands the reason for a process they will be more compelled to follow the procedures. Stull holds a bachelor’s from the University of Akron and an MBA from Ashland University.


  • $245 Live Webinar Access
  • $245 On-Demand Access + Digital Download
  • $320 Both Live & On-Demand Access + Digital Download

On November 18th, 2021, the FDIC, Federal Reserve, and OCC jointly published a final rule that imposes a new 36-hour notification requirement on banking organizations and bank service providers following significant cybersecurity incidents. While this new requirement is certainly a big deal, the rule comes with some caveats and more clearly defined standards for reporting.

What You Will Learn:

  • The definitive requirements of the new Incident Notification Rule
  • Definitions of “Incident” and “Notification Incident” specified in the Rule
  • Actions to take immediately
  • How does this new Rule affect the rest of your Incident Response Program
  • Components of an IRP that help achieve the new Rule requirements

Who Should Attend?
Information security officers, IT Managers, risk officers, internal auditors, Board members, or other management team members looking to understand risks from ransomware.

Jon Waldman is a co-founder and Senior Information Security Consultant for SBS CyberSecurity, a premier cybersecurity consulting and audit firm dedicated to making a positive impact on the banking and financial services industry. He maintains his CISA and CRISC certifications and received his bachelor of science in computer information systems and his master of science in information assurance with an emphasis in banking and finance security from Dakota State University. Over the last ten years Waldman has helped hundreds of financial institutions across the country create and implement comprehensive, valuable, and manageable Information Security Programs. He also conducts webinars and certification programs for the SBS Institute.

Registration Options

  • Live Plus Five (days) – $265
  • OnDemand Recording – $295
  • CD-ROM – $345
  • Live Plus Six (months) – $365
  • Premier Package – $395

The implementing regulations of the Bank Protection Act require the security officer to report annually to the board on the “implementation, administration, and effectiveness of the security program.” As banks downsize or right-size, danger in the security area increases. Learn how to educate your board on these issues with skill and diplomacy.

This webinar will review best practices relating to training, inspections, and foreseeable events that should be reported to the board. Learn how the annual written report should be prepared, presented, and reported. Security officers and board members will garner valuable resources that can provide statistics, facts, and information to reduce liability.

Many financial institutions are satisfied if regulators don’t take issue with the board report or the security program. However, don’t wait for a lawsuit against the security officer, management, and the board (both jointly and individually) to discover your report was missing key items. Information that could help during litigation is very different than what regulators examine for compliance. Be aware that the report is not just for the board – a much larger audience will review it if something goes wrong.

Attendance certificate provided to self-report CE credits.

Report foreseeable events that could bring liability against the board
Identify information that should be reported to the board annually
Present major problems to the board with limited time
Explain why the security officer/risk management department should report to the board in person
Understand what is included in the security function
Keep records that will make board reporting easier

This informative session was designed for auditors, security officers, risk management staff, senior management, and board members responsible for the security function.

Sample annual board report
Sample top sheet for board reporting
Special report form
Incident report form
Security tips
Employee training log
Interactive quiz

ABOUT THE PRESENTER – Barry Thompson, CRCM Thompson Consulting Group, LLC
Barry Thompson is an international speaker, trainer, consultant, and writer. He is a security and compliance “guru” for a leading national training organization and regularly presents security conferences for trade groups – he has trained over 51,000 financial professionals.

Barry is recognized worldwide, presenting in Brussels, Belgium to European bankers on internal fraud; at the United Nations on identity theft; and to Japanese bankers on bank security. Barry has worked in the financial services industry for over four decades, and has held the positions of security officer, compliance officer, treasurer, senior vice president, and executive vice president. He has handled over 900 security cases and has been involved with investigations and prosecutions at the federal, state, and local levels. Barry is the author of 101 Security Tips for the Beginning Security Officer and has been interviewed by Newsweek, Computer World, USA Today, and other national publications.

Live Webinar Access – $245
On-Demand Access + Digital Download – $245
Both Live & On-Demand Access + Digital Download – $320

A global information security organization reported that 85 of 100 financial institutions experienced fraud in the digital account opening process. It’s crucial that financial institutions use multilayered methods for fraud screening. Yet, consumers expect more digital access at a time that cybersecurity has become a significant threat. What steps should be taken to verify the customer’s identity in view of an increased risk of identity theft?

Covered Topics

  • What are the rules? Learn about Federal regulations for E-Sign and the Uniform Electronic Transactions Act (UETA).
  • Which lending regulations are related to E-Sign and have specific provisions for compliance?
  • What are “digital signatures”?
  • Common questions, resources, exam procedures
  • Learn the Six-Step Process for Consumer Consent
  • Basic Steps for E-Sign Implementation
  • Tips for cybersecurity and fraud detection of identity theft

Who Should Attend?
This session is beneficial for lenders, loan administration, compliance officers, IT staff, auditors, customer service, security officers.

Susan Costonis is a compliance consultant and trainer. She specializes in compliance management along with deposit and lending regulatory training.

Costonis has successfully managed compliance programs and exams for institutions that ranged from a community bank to large multi-state bank holding companies. She has been a compliance officer for institutions supervised by the OCC, FDIC, and Federal Reserve. Costonis has been a Certified Regulatory Compliance Manager since 1998, completed the ABA Graduate Compliance School, and graduated from the University of Akron and the Graduate Banking School of the University of Colorado. She regularly presents to financial institution audiences in several states and “translates” complex regulations into simple concepts by using humor and real life examples.

Registration Options

  • Live Access, 30 Days OnDemand Playback, Presenter Materials and Handouts – $279
  • Available Upgrades:
    • 12 Months OnDemand Playback + $110
    • 12 Months OnDemand Playback + CD  + $140
    • Additional Live Access + $75 per person