Thank You, Ken Shaurette, for 13 Years at FIPCO!

By Hannah Flanders

On December 31, 2021 Ken Shaurette retired from FIPCO’s Information Security and Audit Services after 13 years with the company. Shaurette launched his IT career in 1976 after completing his associates degree in data processing. Over the past two decades, he has also garnered a collection of training courses through venders and trade schools as well as certifications by the National Security Agency (NSA) in Information Assessment Methodology. In 2008, Shaurette was hired at FIPCO to build the Information Security and Audit Service from the ground up as its director.

Shaurette shared reflections on how the industry has changed over his decades of experience. When his career began, data was stored centrally in large computer data centers. Slowly, the industry began to give more processing power and ability to manipulate data to users and as the data became increasingly decentralized, security professionals had to establish improved policies and information security programs that addressed data no longer being stored in a big computer center, but out at the desktops anywhere in the company.

As data collection and storage abilities improved, not only did it become more difficult for all the information to be properly secured, it became increasingly important. Regulations have been created today in order to meet the expectation that customer data is equally protected no matter the size of the bank. “Information security [must continue to be] part of our individual and our companies DNA” says Shaurette. “Without security controls, your business can’t grow quickly.”

Shaurette’s perspective has allowed him to help banks throughout Wisconsin protect themselves against serious attacks that could in turn affect growth, reliability, and profits. Shaurette notes that “when it comes to information security 80% is the same regardless of [the] industry when securing the data, 15% is unique to the [banking] industry, and probably 5% is the social atmosphere of [each bank].”

“Over the course of the years, his expertise and service have been greatly appreciated and well-respected by our customers and members,” says Pam Kelly, president of FIPCO. “His passion and unfailing dedication to information security and our members has helped hundreds of bankers keep critical data secure, avoid attackers, and meet the needs of their own communities. Thank you, Ken, for 13 years!”

In his retirement, Shaurette looks forward to spending time with his grandchildren, volunteering, and — he jokes — not writing audit reports. However, he leaves FIPCO customers with one last message in appreciation over that last 13 years, “I may be boating off into the sunset, but the sunrise of a new generation is transitioning behind me, and you will be left in very good hands with Rob Foxx. I’ll be waiting for you to show up for an information security peer group meeting or networking round table on the pontoon boat someday soon. Those that know me, the refreshments are always ready.”

Cybersecurity graphic

By Cassandra Krause 

With a recent uptick in activity, ransomware attacks are a form of cyberattack that has been prevalent in recent news — and for good reason. The effects can be detrimental in terms of monetary loss and reputational damage to the victim. Ransomware is a type of malicious software (a.k.a. malware) that usually encrypts a victim’s files, and the bad actors have upped their game to steal the data first, then threaten to also publish the data to the public. Criminals set their sights on businesses with the goal of extorting money, making community banks prime targets. 

Organized crime networks are becoming increasingly sophisticated. In general, the risk of getting caught for cybercrimes is much lower than for traditional crimes like robbery, and the financial gains are far higher. Ransomware developers write and sell the software to other bad actors for a cut of the profits when they deploy it and collect ransom payment, usually in the form of cryptocurrency, which is hard to trace. Compromised data may also be used to open fraudulent lines of credit. 

“The U.S. is in a ransomware crisis right now,” said Jeff Otteson, vice president of sales at Midwest Bankers Insurance Services (MBIS), a subsidiary of the Wisconsin Bankers Association. He explained that it has created a hard insurance market with carriers tightening up on internal control requirements such as multifactor authentication (MFA) for privileged users (users with the ability to install software or change security settings on critical systems) and encryption of backups. 

In their 2021 Cost of a Data Breach Report, IBM Security and the Ponemon Institute calculate that the average total cost of a data breach is $4.24 million, a 10% increase from 2020–2021. The per-record cost of personally identifiable information averaged $180. 


With the incredibly high stakes in mind, banks are dedicating significant resources to preventing malicious cyberactivity, both in terms of staff and money. Respondents to a 2020 Deloitte survey of financial institutions reported spending about 10.9% of their IT budget on cybersecurity on average, up from 10.1% in 2019. In terms of spending per employee, respondents spent about $2,700 on average per full-time employee (FTE) on cybersecurity in 2020, up from about $2,300 the prior year. 

“There is an industry-standard framework for ransomware prevention and all cybersecurity,” explained FIPCO’s Director InfoSec and Audit Ken Shaurette. FIPCO is also a WBA subsidiary. A good consultant will walk the bank through a comprehensive review of their network security, improving endpoint protection to replace traditional antivirus and endpoint detection solutions, including adding authentication improvements such as MFA, improved password strength, and protecting backups. As more and more of the digital tools that bankers utilize require users to download and install software and updates, depending on signature-based solutions for malware detection is not acceptable — it has become critical to safeguard user, file, network, and device-level activities. 

A bad actor gaining access to a bank’s data may encrypt the data and demand payment in exchange for granting access back to the bank. In this situation, having a data backup is essential.  

“The rule of thumb for data backups is 3-2-1,” said FIPCO Information Security and IT Audit Advisor Rob Foxx. “There should be three copies of all data stored on two different mediums. One of the copies should be stored off site.” 

Ransomware prevention is only one part of a complete cybersecurity system. Experts agree that early detection of unusual activity within a system can help keep a minor incident from quickly escalating into a major incident like a ransomware threat. 

“Ransomware isn’t the first attack,” said Wolf & Company, P.C. Manager of the I.T. Assurance Group Sean Goodwin, who recently presented at WBA’s Secur-I.T. Conference. “Ultimately, it’s on I.T. to put controls in place because an employee will inevitably fall for a phishing email. It becomes a question of whether we can catch that quickly.” 

Social engineering remains the greatest concern; it’s easier for bad actors to trick an employee rather than break through a firewall. Verizon’s 2021 Data Breach Investigations Report found that almost half of the breaches in the financial services industry involved internal actors committing various types of errors. The report stated that the financial sector frequently faces credential and ransomware attacks from external actors, 96% of which are financially motivated (followed by small percentages of motives of espionage, grudge, fun, and ideology). 

Goodwin emphasized that I.T. must be able to act quickly when there’s an indication that someone is accessing something they don’t normally access. “Prevention is ideal. If we can prevent it, that’s best-case scenario, but if not, early detection becomes critical,” he said. This area of solution, known as endpoint detection and response, is rapidly becoming a key point of protection from ransomware and all other malicious events. 

Establishing an incident response program within a bank is an important part of the overall cybersecurity program. 


Creating a culture of cybersecurity awareness throughout the bank is important, so that bank employees are prepared for an incident. Employee training on what to do in the event of an attack should be standard practice. Making security part of the organization’s DNA is a best practice. 

“Every bank needs an incident response plan, and that needs to be approved all the way up through the board. Part of this plan is notification of incidents to the insurance carrier,” said MBIS’s Otteson. 

FIPCO’s Foxx emphasized that the roles and responsibilities in the incident response plan must be clearly defined, and banks should revisit their plan regularly.  

“As the insurance agent, I’m the first call a bank makes when there’s an incident,” said Otteson. “It’s important that banks choose to work with an agency that understands cyber insurance.”  

MBIS insures about 220 banks and has access to a large number of carriers that provide the right coverage for their customers. Otteson recommends reporting all incidents as even a minor incident could result in a claim down the line and having reported that incident when it occurred is key to a successful claim. He says to keep in mind that the owner of the data is liable for it whether the incident occurred in house or with a vendor the bank shared customer data with. 


It’s important to work with the insurance carrier to ensure that all the bases are covered and that the vendors who participate in the response are approved. Not using the cyber insurance carrier’s approved vendors may result in expenses not being covered under the insurance policy. In the event of a ransomware attack, the insurance agent or bank will immediately notify the insurance carrier. Beazley, a carrier partner of MBIS, maintains a 24/7 helpline, which has become common with other carriers as well. Knowing how to report incidents, when to report, and what to expect is key. 

Holidays and weekends are prime times for ransomware attacks: employees who are in a rush to leave may be more likely to click on a bad link, and with employees away from work, it’s easier for the bad actors to get into the network. Even if a problem is detected, it’s more likely that staff who could help put a stop to the attack may be on vacation or unavailable, buying the criminals more time to take over. 

As soon as a cyber liability claim is made, the insurance carrier’s pre-approved vendors come into play.  

“Nobody has the resources in house to effectively manage ransomware attacks,” said Foxx, who has experience working both within a bank and as an external auditor and consultant. The specialization of skills and the amount of people needed to perform adequate analysis and remediation are so significant that even large banks will not have all the players they need on staff. 

If a bank’s data becomes encrypted and made inaccessible, a vendor such as Tetra Defense would be engaged on forensics. Managed endpoint detection and response vendors such as Cynet can help from detection and prevention to response, including providing digital evidence for a vendor performing forensics. Meanwhile, a vendor such as Coveware would handle ransom negotiations with the criminals. Wolf & Company, P.C.’s Goodwin said that you don’t really know who’s on the other side of the transaction — some criminals may be willing to negotiate and others not. He referred to ransomware as a “niche space in cybersecurity that is now getting more attention.” The criminal organizations involved in these types of attacks in some ways act like a legitimate business in that they rely on their reputation and may even have customer service departments — if they fail, it will hurt their chances of getting more business in the future.  

Typically, in the event of a ransomware attack, a legal firm will handle communications and PR for the bank — putting a statement on the bank’s website, assisting staff with customer phone calls, and determining whom to notify. Getting legal involved early protects all communications and discovery with attorney-client privilege. The requirements for notification vary from state to state, and a bank may have customers in multiple states or even other countries, making the expertise of a legal team invaluable. The language used in communications matters, as the term “breach,” for example, can have different legal implications and potentially create larger issues than terms like “incident,” “situation,” or “event.” Education of staff far in advance using regular testing of the plan is a key factor in mitigating an incident. Inappropriate statements made by employees on social media or even at informal social gatherings can have severe ramifications for the bank. 

Follow Up 

While anyone who experiences a ransomware attack may be eager to breathe a sigh of relief and move on when it is over, it is essential to review the incident and revise the bank’s incidence response plan. Assessing what went well and what needs to be improved are critical steps.  

Goodwin also warns that victims of ransomware are commonly re-targeted. A Cybereason study found that 80% of organizations that previously paid ransom demands confirmed they were exposed to a second attack. He said that once a company has paid a ransom it is known that (1) you were compromised, (2) you do not have proper backups of your files, and (3) you were willing to pay. 


Cyberattacks are the biggest risk to a financial institution — even surpassing the risk of past-due loans. The cost of a ransomware attack can be astronomical, with many factors contributing to the price tag, including vendor fees and staff hours to resolve the issue; the cost to inform customers and offer identity or other protections; the loss of destructed data; and the down time of the business. All of this, followed by the loss of customers’ trust (and subsequent loss of their business), has the potential to put a community bank out of business.  

There are safeguards banks can put in place, including a sound incident response plan, improved monitoring with better endpoint detection and response, cyber liability coverage, and employee education. FIPCOMBIS, and a wide range of WBA Associate Members are ready to support banks in keeping their data and that of their customers safe.  

For the first time, this year WBA’s Secur-I.T. Conference will be combined with the annual BSA/AML Conference! These meetings — which cover many functions of a bank such as Bank Security Act (BSA)/Anti-Money Laundering (AML), Operations, Security, and Technology — draw banking professionals from all around the state of Wisconsin for education and networking. The 2021 WBA Secur-I.T. & BSA/AML Conference will be held September 21–22 at the Kalahari Resort and Convention Center in Wisconsin Dells.

Attendees will benefit from over seven hours of presentations from general session topics to breakout sessions by nationally recognized speakers and local professionals; networking with more than 125 banking peers; and meeting several exhibitors who offer products and services geared to help banks with customer experiences, BSA/AML programs, security, and technology.

The conference will kick off with a discussion on virtual currency as that continues to emerge as a hot button conversation for BSA/OFAC risk. The first conference speaker, Robin Guthridge of Wipfli LLP, will discuss FinCEN and the U.S. Treasury advisories regarding the risk virtual currency transactions could present. The event will also explore monitoring and SAR-filing responsibilities relating to virtual currency transactions.

Terri Luttrell from Abrigo will be diving into a topic that is closer to home than many may think. Human trafficking is one of the fastest growing criminal activities in the world, exploiting over 45 million people and generating an estimated $150 billion in profits each year. Financial institutions have a critical role to play in identifying and disrupting human trafficking. This next session at the conference will discuss what financial institutions and BSA professionals can do to help identify, flag, and prevent human trafficking.

The conference will close out with Alex Weber, international speaker, American Ninja Warrior, and awardwinning performer for NBC. Weber’s contagious energy and strategic methods to transform audiences to achieve at their highest levels will certainly leave attendees feeling their best and excited to return to the bank post conference. Whether you are looking for BSA updates, high-tech discussions, peer networking or all of the above, you will want to make sure you are in attendance at this year’s Conference. We hope to see you there!

Encourage your customers to tell Congress not to let the IRS invade their privacy.

The Biden administration is advancing an overreaching proposal requiring financial institutions to report their customers’ deposit and withdrawal information to the IRS, regardless of their tax liability or consent. WBA, ABA, ICBA, and other state banking associations are opposed to this measure and this is a topic we have been discussing in meetings with our Congressional delegation.

ICBA’s landing page for this issue may be found here.

Please consider sending a message to your representative and senators, and encourage your customers to the do the same here.

According to analyst firm Gartner, extended detection and response (XDR) is a “SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”

You’ll hear plenty of the traditional vendors of antivirus begin to proclaim themselves as an endpoint detection and response (EDR) or XDR solution, trying to keep up with this more advanced tool space. As they continue to either buy up other vendors with the tool sets (then try to bolt them on to their traditional solution) or simply try to remake themselves in the model of an XDR solution in other ways, their final offering often has limitations. Typically, they’ll cover some but not all the areas of a complete XDR solution. They will address hosts and files but not network and users, or network and hosts but not files or users. They’ll miss some of that cohesive security operation defined by Gartner.

A recent article from HelpNetSecurity—a popular information security online publication—titled “XDR and MDR: What’s the Difference and Why Does It Matter?” made the following statement in closing: “An XDR solution without adequate human expertise/staffing behind it will only ever be a tool. With a managed services model in play, you’re getting both the comprehensive technology capabilities and the people required to make it work— which is why managed detection and response (MDR) may be the only acronym that your organization needs.”

This statement is very accurate for the less complete XDR offerings that do not include the managed and monitoring components in their solutions. They become like all the security information and event management (SIEM) and log management solutions that have been pushed at you for years, just becoming another tool that no one has expertise to manage or leverage the benefits that you bought it for. So, what do you have to do? One option is to buy the “managed services” from these tool vendors which can make banks dependent on them.

Another option is to research other solutions that are out there. In addition to Cynet, our Infosecurity consulting services suggest reviewing Gartner’s list of EDR solutions and offerings from WBA Associate Members when completing your due diligence. Complete solutions like Cynet360 include the backing of the Cynet CyOps team without needing to pay extra, bolt on more products, or go looking for the 24x7x365 expertise of another managed provider. This doesn’t mean that you can’t still depend on a managed services provider for another layer of monitoring and managing, but are they independent if they also are who you need to be monitoring? There’s nothing wrong with leveraging the additional layer you’ve come to depend on, but at what added cost to get the independence and expertise like that of a CyOps team that is already baked into the Cynet360 solution? You will still need to explain to your auditor and examiners that you’ve learned the tool adequately enough to understand and generate independent reporting of the activities of the managed third party.

At least when you are answering that questionnaire for your cyber insurance coverage, you’ll be able to check off ‘Yes’ on several questions because you implemented a powerful, more advanced endpoint protection solution.

Shaurette is FIPCO director infoSecurity and audit. Contact him at or 608-441-1251.

By, Alex Paniagua

Cyberattacks on bank data, including ransomware incursions that can deny a financial institution access to its own digital information, are an increasing operational risk, an industry regulator and cybersecurity experts warn. 

While most have adapted to employees working remotely during the COVID-19 pandemic, banks need to be especially mindful as hackers more aggressively attempt to break into computer systems from various points of entry, they say. 

“Banks should remain vigilant concerning cybersecurity control and risk management practices as banks face continuous threats from cyber actors,” the Office of the Comptroller of the Currency stated in its autumn Semiannual Risk Perspective. “These actors have become less inhibited and more sophisticated with their knowledge of the financial institution operations and vulnerabilities in bank applications or systems.” 

In addition to exploiting system susceptibilities, cyber crooks are using exploitation methods like phishing emails and credential theft to compromise bank systems, and examiners continue to identify concerns with bank information technology security, the OCC said. 

The pandemic has made the situation worse. 

“Cyber criminals prey on fear and urgency and general mass concern. So the coronavirus, this global pandemic that we’re dealing with, really is the sweet spot for those folks – particularly in sending out mass phishing email scams,” said Jon Waldman, co-founder of SBS CyberSecurity, a Madison, South Dakota firm that works with many financial institutions. “One out of every three phishing scams today are COVID related.” 

Waldman said that during the March-through-April stretch when coronavirus fears initially peaked, there was a 667% rise in phishing emails in the U.S. 

Phishing – a technique in which a cyber thief sends emails in the hope of duping an unsuspecting victim into turning over private information like email or system passwords – often is the easiest route for busting into a data system. 

Rather than use a highly skilled hacker to try to break through a company’s firewall, organizations can send authentic-looking phishing emails that trick the recipient into clicking on a link that opens the door to a data takeover. 

“The weakest link is the person who hasn’t been informed well enough or trained well enough or educated well enough that you don’t click on links that were not expected,” said Ken Shaurette, director of info security and audit for the Madison-based bank services firm FIPCO. “I’ve seen some extremely crafty ones. They will even fool the experts when they’re well done. And one time is all it takes.” 

In one common ruse, a hacker infiltrates actual email accounts from a title company or real estate brokerage. The crooks might then send, for instance, an email to a homebuyer who is getting ready to close on a mortgage, telling him or her the location where funds should be wired has just changed. 

“It’s coming with an actual email address. You — as a homebuyer — how do you know that wasn’t legitimate?” Shaurette said. 

In its report, the OCC warned that the financial sector continues to see an increase in ransomware attacks with cyber actors using phishing emails as the main attack method. 

In a ransomware attack, the cyber crook finds a way into a company’s system and then encrypts important data and demands money, typically via Bitcoin, to provide a key that unlocks it.  

“Recently, cyber actors have elevated their tactics to not only target and encrypt bank data while compelling payment but also threaten to auction or publish customer information on the dark web,” the OCC said. 

Banks should have a clear understanding of the impact of a ransomware attack and the potential effects on the banks’ customers and third parties, the OCC said. Dealing with breaches often comes at great cost – both financial and to customer relations.  

“Given the nature of what they do, if banks can’t recover because they don’t have appropriate backup or secured backup systems in place, they are likely looking at a scenario of ‘Well, how do we get our data back?’ and that could include paying the ransom,” said Tom Wojcinski, a director in the risk advisory services practice of the Milwaukee-based accounting and consulting firm Wipfli. 

Although authorities say companies never should pay the ransom to regain access to their data, some do. 

“If nobody paid the ransom the market would evaporate and it would stop being a thing,” Wojcinski said. “But people are paying the ransom, so the cyber criminals are continuing to drive innovation of their ransomware. It’s getting better, it’s getting faster, it’s getting harder to detect.” 

Waldman said that when a ransomware group or an attacker gets into a network, they often go 40 to 60 days – and even up to 200 days – without being detected. 

“Which gives the bad guy a lot of time to steal information and then use that as leverage in order to force an additional ransomware payment,” Waldman said. “If you have that kind of leverage, that also means you can ask for more money, and if the company doesn’t pay the ransom, then they threaten to post the data.” 

What is a typical ransom demand to a business? 

“Probably at the beginning of 2019 the average was $30,000 to $50,000, and today it’s over $200,000 on average,” Waldman said. “If you’re a bigger company, then it’s usually seven figures.” 

Given the immense hassle and cost of dealing with a ransomware takeover – and many other types of cyber intrusion – prevention and detection are crucial. 

Experts say companies need to be especially wary during a time when more employees are working remotely instead of in a building where data systems are assumed secure. 

“It’s taking employees that were once on a ‘trusted’ system in their office and potentially moving them out to a personal computer that now has not had the same kinds of controls applied to it,” Shaurette said.  

Said Waldman: “Those folks that are working from home are still working with customer information on behalf of the bank, and there’s a big potential exposure there if they would click on a phishing email or get ransomware that goes back to the financial institutions. The big message is: make sure that you use these next few months to plan around securing your work-from-home folks.” 

What are some ways a bank can protect itself against cyber crooks? 

Use multiple data backups. Waldman stressed backing up data, not just with a cloud backup, but also by keeping a copy offline and not connected to the network – safely away from the clutches of criminals. 

“In almost every case that we’ve worked from a digital forensic incident response perspective, any time an organization has had to pay the ransom, it’s because they didn’t have good data backups,” Waldman said. 

Have a strong patch management system. Staying up to date on patches typically prevents many data breaches, Waldman said. 

Train employees to make sure they’re aware of threats. Wojcinski said banks need to “create a culture of security.” 

“When I say create a culture of security, I’m really thinking about how we need to instill professional skepticism in our end users,” Wojcinski said. “And we need people to really think twice to say, ‘Should I click this link? Should I process this wire transfer? Should I do this? Is that the right thing? Let’s ask for clarification.’” 

Use multi-factor authentication. Hackers can steal or buy email credentials. Having another way to make sure the people behind the account are who they say they are can head off trouble. 

Have strong passwords. “Passwords don’t need to be complex. They need to be long,” said Shaurette. “Passwords don’t need to be hieroglyphic. They need to be unique and they should be long – and by long, it should be 15 characters and plus. If I use three or four unrelated words, I’ve got a long password that nobody is likely to ever guess.” 

Use next-generation antivirus software. While traditional antivirus programs rely on a database of cyber threats, advanced antivirus software analyzes a file before it opens to see if it’s going to execute code in a way that appears to be malicious, Waldman said. 

Make sure your security system can quickly identify intruders. This will keep criminals from having extended time in a bank’s network and records, Waldman said. 

Even with preventive measures in place, “You still need to anticipate those will be circumvented or breached somehow,” said Wojcinski said.  

“We’ve got to have monitoring processes in place to identify suspicious network traffic as endpoint detection tools to look for anomalous processes running on workstations,” Wojcinski said. 

If banks build strong cybersecurity systems, compliance with regulators shouldn’t be an issue, Shaurette said. 

“If you’ve built based on strong industry standards and continue to mature it – it’s a journey, not a destination – you will be compliant to any regulation that ever comes along,” he said. 

FIPCO is a WBA subsidiary and a WBA Gold Associate Member. 

SBS CyberSecurity is a WBA Bronze Associate Member.

Wipfli is a WBA Silver Associate Member. 

By, Alex Paniagua

To date, while some federal agencies have made public statements, Congress has not exercised its constitutional power under the commerce clause to regulate cryptocurrencies and blockchain technology to the exclusion of the states. This means that the states remain free to enforce their own legislation. Sixteen states have enacted legislation related to virtual currency or cryptocurrencies and nine states have enacted or adopted laws that reference blockchain technology. 

To help assist lawmakers (and the general public), the State of Wisconsin Legislative Reference Bureau (LRB) created a summary that highlights the responses of major economic players as well as innovative practices on cryptocurrency and blockchain technologies. The report is designed to help gain a broad perspective of the current global regulatory market and the breadth of proposals for further policy and legislative guidance. Cryptocurrency, a subset of digital currency, is held up by some as the "currency of the future," and the technology that allows its existence could revolutionize business and government. 

As cryptocurrency becomes more mainstream, governments around the world have taken the first steps toward regulation; however, advances in technology frequently outpace legislation. The LRB report describes the principal characteristics of cryptocurrencies and the underlying technology that enables its existence-decentralized, distributed ledgers based on blockchains. The report then details recent developments in regulations in the United States by various federal regulatory and enforcement agencies and the most relevant case law. Finally, the report explores developments at the state level and summarizes the global regulatory landscape of international responses to the regulation of cryptocurrency. 

How Blockchains Work: A Sample Case Study

  1. Charlotte and Susie download digital wallets, providing the encryption keys necessary for the transaction. 
  2. Charlotte creates a message requesting a $15 transaction to repay Susie for dinner. The message is encrypted using Susie's public key, ensuring that only Susie can decrypt the message using her private key. The message also includes Charlotte's private key to validate her status as the initiating entity.
  3. The message is broadcast to a peer-to-peer (P2P) network consisting of private computers, or nodes. 
  4. The network validates the transaction and Charlotte's user status, then records and time-stamps it to verify that the cryptocurrency has changed possession. 
  5. The transaction is combined with other transactions to create a new block of data for the ledger.
  6. The new block of data is added to the existing blockchain in a way that is permanent and unalterable.

If you'd like to read the full LRB report please visit

By, Amber Seitz

The Wisconsin Bankers Association offers for your use the following consumer education column. Your bank is free to use this as a community column in your local newspaper, a letter to the editor, a press release or in any other way you see fit. The purpose is to give our members an easy-to-use tool for promoting the banking industry to Wisconsin's communities.

Identity theft is on the top of many consumers' minds these days, with new data breaches announced seemingly weekly. As masses of Americans turn to credit monitoring, fraud alerts, and other solutions to prevent their identities from being stolen, one group sometimes slips through the cracks: children. Parents: don't forget that your child has a social security number, so their identity could be stolen and used to take out fraudulent loans that could damage their ability to buy a car, get student loans, rent an apartment, or even get a job in the future. Below are some steps to consider to help protect your children from ID theft: 

Watch for red flags.
First, keep an eye out for common signs that your child's identity has been used to obtain credit. These include an influx of mailed credit card and/or loan offers addressed to your child, a notice from the IRS that your child didn't pay income tax or was claimed as a dependent, and collections calls for bills addressed to your child. When your child gets older, being denied a bank account, driver's license, or government benefits (such as Medicaid) are also indications that their identity may have been stolen. 

Check your child's credit report.
The next step to take is similar to what you would do to protect your own identity: check their credit report. It's a bit more complex when the credit report you're requesting is your child's (versus your own), but it is an important step. Contact the major credit bureaus (Equifax, Experian, and TransUnion) to find out the specific documentation they require. You'll likely need to mail in copies of your child's birth certificate and/or their Social Security card, as well as a copy of your own ID. Keep in mind that your child may not have a credit report-and that's a good thing! It means your child's identity has not been used by criminals to obtain credit in their name. 

Consider a credit freeze.
If you find that your child has a credit report, consider placing a freeze on it. This is especially important to consider if your child's identity has been stolen, since it will help prevent future instances of their information being used to obtain credit. Wisconsin's Child Credit Protection Act allows parents and legal guardians to place a freeze on their child's credit record. By freezing their credit with each of the major credit bureaus, you will prevent criminals from taking out credit using your child's identity. Each credit bureau has a different process for freezing credit, so contact them to find out the steps if you are interest in a credit freeze for your child(ren). Keep in mind, the bureaus charge a fee to freeze and unfreeze credit, so you'll want to consider how close your child is to legitimate credit requests (such as student loans or a first credit card) before taking this step. 

If you suspect your child's identity has been stolen, visit for step-by-step guidance on what to do next. 

An archive of Consumer Columns is available online at

By, Amber Seitz

Security considerations for modern branch technology

As branch networks evolve from brick-and-mortar transaction centers into technology-friendly customer interaction spaces, banks must also be diligent in their work to update their security strategy. A 20th-century security plan won't protect a 21st-century branch network. Unfortunately, there's no universal approach that will work for every institution. "Any time you're adding new technology or moving to something new, there's no easy answer," said Randy Phillips, vice president of security management at Thompson Consulting Group, LLC. "It's really a case-by-case basis because it depends on how much technology you're adding." Instead, bank security officers should align their current strategy to their branch network with a close look at their vulnerabilities from a holistic perspective. 

Adopt a Holistic Perspective

Modern branch networks are less a collection of separate buildings and more a true network, a group of interconnected pieces working in tandem. Therefore, updating the security strategy to accommodate modern networks requires a perspective shift. "It doesn't require changes so much as it requires looking at security concerns from the past in a different way, as an ecosystem rather than as separate pieces," said Jim Stanger, FI solutions team leader at Edge One, Inc. "You need to look at your security more holistically." Protecting innovative branch networks that rely on more automation than past models requires reviewing security in a new way, according to Barry Thompson, managing partner at Thompson Consulting Group, LLC. 

That holistic view necessitates an understanding of how each piece of the network interacts with the others, whether it's an ATM at a remote location, a complimentary Wi-Fi connection, or a new mobile app. "Any time you're looking at new technology, you need to look at the interoperability, how all the parts will work together," said Phillips. "Research it and spend the time to choose wisely, because the last thing you want is to make a purchase and then discover that it's not as efficient as you'd anticipated or it opens you up to new vulnerabilities you hadn't expected." Bank security officers must identify and defend against new and transforming vulnerabilities related to both physical security and information security, and the best way to do so is to evaluate current security from the perspective of a criminal. "Everybody's probably heard it before, but any situation where you're the security officer you have to think like the bad guy," Phillips said. "What are they doing and how are they trying to do it?"

Information Security

With today's rapidly evolving technology landscape, keeping up with the industry is vital for information security, which is one of the most common security concerns today, according to Dawn Staples, president/CEO of Superior Savings Bank. "These concerns evolve as quickly as the previous vulnerability has been addressed. Maintaining an effective information security policy that is frequently updated and followed, along with a vigilant eye on emerging trends is essential." An ongoing system for monitoring and improving security is especially critical as the machines banks use to deliver services to their customers become more complex, such as video ATMs and interactive teller machines. "Protect the terminals today but also have a system for protecting them on an ongoing basis," Stanger advised. Having a system in place to regularly install security updates is vital, as modern machines are far more complex than their past counterparts. "These solutions are just as much software as they are hardware, today," said Stanger, referring to ATMs. 

Even entirely digital system components such as Wi-Fi and electronic banking products should be reviewed and monitored as part of the overall branch network, since they can become gateways for criminals to access other areas of the network. "Layered security is a primary focus with all of our electronic banking products," said Staples. "Multifactor authentication, firewalls, and VPNs are just a few of the strategies that are commonly used." When it comes to offering internet access to customers, the best protection is to separate it from the connection used by branch network components and internal processes. "If you're providing free Wi-Fi for visitors and customers, you must ensure that the connection is completely separate from the connection used by the bank's internal computers and systems," Thompson stressed. "Otherwise someone in the parking lot can start using your internet." The good news is, safer and more secure technology is developed as rapidly as criminals find ways to exploit current technology. "As technology advances, additional protections are available for personal transactions, whether it's banking or any other cloud-based activity," said Staples. 

Physical Security

When it comes to physical security, a holistic perspective requires banks to consider how the new devices impact customer safety, even as they provide additional convenience. "The biggest change is to give more consideration to the fact that we're moving some of our security exposure to the customer," Phillips said. He explained that self-service machines such as interactive ATMs place the responsibility for cash handling on the customer, and many people still don't trust machines to dispense the correct amount. "They're still going to stand there and count the money," he said. "So, look at the surroundings."

This customer-centric view also applies when considering the physical layout of the branch, including the placement of teller pods (if they are being installed). "The size of the teller pod and how you position it within the branch creates issues for physical security," said Thompson. For example, he cautioned banks against positioning pods in such a way that would allow customers to view the computer screens on nearby pods, potentially revealing other customers' account information. "It's crime prevention through environmental design," he explained. Fortunately, as with many information security components, improvements are constantly being made to the physical elements of branch networks. "Many of these new technologies have self-monitoring capabilities, detecting skimming devices on ATMs, for example," Phillips said. 

One thing that hasn't changed, and isn't likely to: prevention and preparation are critical elements in an effective bank security strategy. "Vigilance for what's happening today, with an eye for what's happening tomorrow," said Stanger. "It's best to buy umbrellas before it starts raining."

Edge One, Inc is a WBA Associate Member

By, Amber Seitz


Cybersecurity threats continue to rapidly evolve in sophistication and are occurring with increased frequency. Daily, we hear news about new data breach, dangerous strain of malware, innovative hacking schemes, and targeted efforts of organized crime groups. In fact, cybersecurity news has become so pervasive that it’s not even shocking news to most people anymore. This session will provide detailed information on how to prevent the latest information security threats or ways to mitigate the latest vulnerabilities.

The discussion will include:

  • Network compromises and data breaches
  • ATM Jackpotting and unlimited operations
  • New internet-based vulnerabilities
  • Commercial account takeover
  • Business email compromise
  • Standards for protecting information systems (NIST, SANS, ISO)
  • Advanced controls to mitigate risk (DLP, SIEM, App Whitelisting, Next Gen Firewalls, Network Segregation, Incident Response, Continual Monitoring, Forensics)
  • How to tie standards and controls to the IT Risk Assessment and IT Audit Program

Target Audience:  Information security officer, IT manager, risk officer, internal auditor, CIO, and executives looking to better understand cybersecurity risks.

SBS CyberSecurity, LLC

Registration Option
Live presentation $330

Recording available through July 22, 2022

The thing about Incident Response, just like Business Continuity (and insurance), is that we all hope the scenarios we know can happen never actually occur. However, the point of planning is to anticipate the bad things happening and have a plan to deal with those incidents, should they occur.

While can be difficult to document a response for Incident Response scenarios that have never occurred, building out step-by-step scenarios into an Incident Response Playbook might just save your organization time, money, resources, or even the business itself is something bad does happen. How do you create your own Incident Response Playbook?

This presentation will cover the following areas/topics:

  • Regulatory requirements of an Incident Response Plan (IRP)
  • Components of a valuable IRP
  • Threat Assessments
  • What is an Incident Response Playbook?
  • Testing Your Incident Response Playbook
  • Using Your Playbook to improve your IRP

Target Audience: Information security officer, IT manager, risk officer, internal auditor, CIO.

SBS CyberSecurity, LLC

Registration Options
Live presentation $330

Recording available through September, 10 2022

It’s time to shift our thinking when it comes to security awareness training. Yearly education and testing just doesn’t cut it in today’s cyber world. Security awareness is a topic we should have in front of our people on a much more consistent basis.

However, as we all know, creating a culture in any environment involves more than words or flipping a switch — it involves thoughtful and deliberate action across the organization, as well as accountability for that culture. Culture also has to start at the TOP of the organization, or it will be meaningless downstream. Overall, the goal of a Culture of Cybersecurity is to make security the first think we think about, as opposed to the last.

Join us for this session will include:

  • Cyber Threat’s New normal
  • People, Process, and Technology — which is the weakest link?
  • Compliance-based security awareness training
  • Proactive Security Awareness Training
  • Building an Effective Security Awareness Training Program
    • Directors/Executive Management
    • Employees
    • Customers
  • Topical training ideas
  • Why accountability matters most

Target Audience: Incident response team, information security officer, IT manager, risk officer, internal auditor, and IT focused staff.

SBS CyberSecurity, LLC

Registration Options
Live presentation $330

Recording available through August 13, 2022

This webinar covers common versions of global cash flow (GCF) analysis being used by bankers, with a focus on GCF as part of the underwriting process in most medium- to smaller-sized businesses and self-employed lending situations. A major issue is how to adjust or reduce the personal cash flow for income taxes and living expenses. Because of differences in how a personal debt-to-income (DTI) is derived versus a business debt service coverage (DSC), some type of adjustment must be made before combining personal and business data. This leads to a discussion of the advantages and disadvantages of adjusting for income taxes and living expenses, versus adjusting the required coverage factor. Another major issue is capital gains and other items within the broader recurring/non-recurring decision category. A case study is used to illustrate key points.

Topics to be covered include:

  • Personal DTI versus business DSC
  • Approaches to imputing a personal living expense factor
  • Regulatory discussion of living expenses and capital gains (losses)
  • Analytical and conceptual issues:
    • Mixing two approaches to debt coverage
    • Using averages for debt coverage ratios
    • Recurring vs. non-recurring items
    • Where is the cash flow (if any) when a capital gain is listed?

Target Audience: Branch managers, consumer lenders, mortgage bankers, private bankers, small business lenders, commercial lenders, credit analysts, loan review specialists, special assets officers, lending managers, and credit officers

Richard Hamm, Advantage Consulting & Training

Registration Options
Live presentation $330

Recording available through August 10, 2022

Explore the fundamental building blocks of a repeatable framework for cybersecurity and information security issues. Your information security program can be more than a document created for compliance. We will help develop a program that provides your institution with clear direction and guidance that meets and exceeds regulatory expectations while addressing real-world risks.

Some bank programs implemented today are a collection of documents pulled together over the years, that exists primarily to satisfy regulatory requirements. The Information Security Program should be a coordinated set of policies that work together to implement a unified set of controls across the organization. A daily playbook used by employees to fight cybercrime and not a collection of documents to satisfy auditors and examiners.

Discussion Topics

  • Regulatory Requirements
  • Purpose of repeatable cybersecurity frameworks
  • Program Basics for a solid frameworkITris
  • Detailed explanation of framework components
  • Next steps for a comprehensive, valuable, repeatable framework
  • Making decisions with the framework
  • See new issues and technologies automatically handled by a solid framework

Target Audience
Incident response team, information security officer, IT manager, risk officer, internal auditor, and IT focused staff members

SBS CyberSecurity, LLC

Registration Option
Live presentation $330

Recording available through April 28, 2022

The implementing regulations of the Bank Protection Act require the security officer to report annually to the board on the “implementation, administration, and effectiveness of the security program.” As banks downsize or right-size, danger in the security area increases. Learn how to educate your board on these issues with skill and diplomacy.

This webinar will review best practices relating to training, inspections, and foreseeable events that should be reported to the board. Learn how the annual written report should be prepared, presented, and reported. Security officers and board members will garner valuable resources that can provide statistics, facts, and information to reduce liability.

Many financial institutions are satisfied if regulators don’t take issue with the board report or the security program. However, don’t wait for a lawsuit against the security officer, management, and the board (both jointly and individually) to discover your report was missing key items. Information that could help during litigation is very different than what regulators examine for compliance. Be aware that the report is not just for the board – a much larger audience will review it if something goes wrong.

Attendance certificate provided to self-report CE credits.

Report foreseeable events that could bring liability against the board
Identify information that should be reported to the board annually
Present major problems to the board with limited time
Explain why the security officer/risk management department should report to the board in person
Understand what is included in the security function
Keep records that will make board reporting easier

This informative session was designed for auditors, security officers, risk management staff, senior management, and board members responsible for the security function.

Sample annual board report
Sample top sheet for board reporting
Special report form
Incident report form
Security tips
Employee training log
Interactive quiz

ABOUT THE PRESENTER – Barry Thompson, CRCM Thompson Consulting Group, LLC
Barry Thompson is an international speaker, trainer, consultant, and writer. He is a security and compliance “guru” for a leading national training organization and regularly presents security conferences for trade groups – he has trained over 51,000 financial professionals.

Barry is recognized worldwide, presenting in Brussels, Belgium to European bankers on internal fraud; at the United Nations on identity theft; and to Japanese bankers on bank security. Barry has worked in the financial services industry for over four decades, and has held the positions of security officer, compliance officer, treasurer, senior vice president, and executive vice president. He has handled over 900 security cases and has been involved with investigations and prosecutions at the federal, state, and local levels. Barry is the author of 101 Security Tips for the Beginning Security Officer and has been interviewed by Newsweek, Computer World, USA Today, and other national publications.

Live Webinar Access – $245
On-Demand Access + Digital Download – $245
Both Live & On-Demand Access + Digital Download – $320

October 3-7, 2022
Fluno Center for Executive Education
Madison, Wisconsin
Enrollment Deadline: September 6


Online bank fraud has been described as epidemic, with numbers that are staggering — it’s estimated that U.S. banks lose $1.5 billion to phishing attacks annually. Consider also that mobile devices are now ubiquitous and hackers are getting ever-more sophisticated in their ability to gain access to sensitive data and it’s clear that there is a need for proactive IT security offense and defense to stop attacks including phishing, malware, coordinated denial of service attacks, hacktivist breaches and more. The threats to the banking sector are multiple and significant — both financially and reputationally. Today’s bank customer is rightfully concerned about online banking fraud and studies show that the majority of customers would change banks if they became a victim of fraud at their current institution. Security breaches not only cost significant dollars, but they also erode consumer trust. Being proactive is key.

Don’t miss this innovative school that’s designed by, and especially for, information security officers in the financial industry. This state-of-the-art program will broaden your understanding of the business of banking including key drivers of bank profitability, along with an in depth, interactive and hands-on study of the latest IT security techniques and strategies.

The school uses a mix of lecture, small group discussions and interactive computer labs. The hands-on, computer-based simulation labs will allow you to explore penetration and vulnerability testing, security attacks, early detection of data breaches and more. You’ll spend class time diving deep with IT security experts and knowledgeable colleagues who will become a network to call upon for years to come. Apply today to take advantage of this opportunity to learn from experts in the banking industry about today’s key issues in information assurance.


Whether you’re a veteran Information Security Officer or new to the IT security field, this powerful program will give you the skills and knowledge to effectively secure your bank’s and your customers’ most sensitive information.

Click More Information to view the full school details on

There are three phases to creating an Information Security Program for financial institutions: 1) planning and preparation, 2) implementation, and 3) testing and verification. When it comes to testing your ISP, one of the big questions you should ask – both of yourself and your auditor(s) – is “where does our risk really lie?” Are you testing your ISP because you have to, or are you testing your ISP because you really want to protect your institution and your customer’s data from a cyber attack?

Covered Topics

People, Process, and Technology
Minimum Requirements for Testing Your ISP
Best Practices for Testing Your ISP
Reactive Testing vs. Proactive Testing
Additional Security Testing to Consider

Who Should Attend?
Information Security Officer, IT Manager, Risk Officer, Internal Auditor, CIO, and Executives looking to understand the Cybersecurity Assessment process, common weaknesses in controls, and how to address them.

Cody Delzer, CISA, CDPSE, is a SVP Information Security Consultant for SBS CyberSecurity, LLC of Madison, SD who has a Bachelor of Science Degree in Computer and Network Security from Dakota State University and 13 years’ experience in IT and IT Security; 3 years in Systems Operations and 10 years in Information Assurance. Cody has worked with over 300 Financial Institutions and other private industry organizations across the United States.

Registration Options

“Live” Web connection – $265
6-month “OnDemand” website link only – $295
CD-ROM and e-materials only – $345
Live plus OnDemand website link – $365
Premier Package: Live, OnDemand link, and CD-ROM plus – $395