Tag Archive for: Data Security

Posts

Row of digital locks with glowing lock in middle
, ,

Passwords: Ensuring Secure Data

How you can be your own best first line of defense against hackers

By Rob Foxx, CCBTO

Depending on how old you are, you will have a different perspective on passwords. The more seasoned professionals would have come in at a time when a minimum of six characters, no capital letters, numbers, or symbols was a commonplace practice. In comparison, passwords today usually consist of eight characters — at least one being one upper case — a number, and a symbol.

With a good computer and access to a vulnerable system, even now those passwords could be cracked by a common tool to brute force into the system in less than six hours. While our technology continues to evolve, unfortunately, so too do the bad actors and threats to our data security.

Digital Security Threats

While some threats are technology based, a consistent number of threats to our passwords are not. Saving a password to a browser is an invitation for trouble. Once you walk away from an unlocked computer, it would not take much effort to log in or even change your credential without your knowledge. There are many tools that can copy these passwords quickly and with very little expertise.

Additionally, those who reuse passwords or only slightly change them is a direct invite to bad actors. If your password was compromised on a common website and associated with your email, someone has that information, and there is a good chance they are going to try it elsewhere. For example, changing a password from Carl!123 to Carl@123 is also risky as a list of passwords associated with users’ names fed into a computer could guess this in seconds rather than hours.

Many people write their passwords down and tape it to a monitor. The inside of a desk drawer, or under the keyboard or mousepad are not much safer a hiding spot.

As many of us are aware, sharing passwords is a bad idea from an accountability point of view. Once someone else has it, you can no longer secure it from being written down or re-shared.

Be aware if your passwords or accounts have been breached in the past. The website have ibeenpwned.com is a staple for those in the information security field. This allows you to check if both passwords and email accounts have been used or discovered in past breaches.

Additional Protective Steps

Like many threats, the best answer is in the hands of the people most at risk. With a little education and a few resources, you could be on your way to making yourself an unappealing target.

  • Multi-Factor Authentication

Multi-Factor Authentication (MFA) is the latest and greatest in terms of locking an account if available. It requires a token or application on your phone to give a random code that matches up to a login service. Using MFA makes unauthorized access very difficult.

  • “Real” Passwords

The NIST (National Institute of Standards and Technology) in their 800-63 publication points out that complexity does not matter to a computer. It only makes it harder for users to remember. Password length makes it exponentially more difficult for a computer to guess or break a password that has not been breached. A 15-character password with all lowercase letters would take a computer an estimated 12 million years to breach. Passwords can be as simple as three unrelated words or based on items found on your desk — coffeelampmouse is a good example. The internet is filled with random password generators, but they are only of limited use as the passwords they generate are impossible to remember.

  • Password Vaults

Password vaults are very reliable and inexpensive or free. They can make and save passwords for you requiring a single password to access all your other passwords. Additionally, they can generate passwords for you. This removes the requirement to come up with something new every time you make a password. Some vaults are cloud based, and for those who are looking for a business version or an entirely offline vault, these are also available.

Armed with the knowledge of the problem and the tools presented you can use them to be your own best first line of defense against people trying to take over your digital life. You would not choose a lawyer, doctor, or bank officer who barely meets minimum requirements to do something important, so do not skimp on the passwords that secure your data with a minimum requirement either. If you have questions, feel free to ask your local IT or information security professional — they are generally very happy to help people safeguard themselves, as it makes their lives easier as well!

Foxx is director – infosec and IT audit services for FIPCO, a WBA Gold Associate Member.

/by
Hooded hacker banner
, ,

The New Face of Identity Theft

The rapid growth of synthetic identity fraud

By Hannah Flanders

Like many aspects of our day-to-day lives, the expansion of technology has both enhanced and complicated the ways in which we operate. As more and more of our information lives online, identity theft — once more likely to occur because of a stolen wallet — has also assumed a digital appearance: synthetic identity theft.

What is Synthetic Identity Fraud?

Synthetic identity fraud is defined as the use of a combination of pieces of personally identifiable information (PII) to fabricate a person or entity in order to commit a dishonest act for personal or financial gain.

This form of identity theft has allowed bad actors to combine a stolen Social Security Number (SSN) and other false information — such as a fake name, address, date of birth, or phone number — to create a counterfeit identity to steal funds, escape prosecution, or any other number of criminal and fraudulent activities.

An Alarming Trend

In 2020, the Federal Bureau of Investigation (FBI) named synthetic identity theft as the fastest growing financial crime in the United States. Fraud targets are often those who do not typically use credit or are less likely to monitor their credit activity — including children, homeless individuals, and the elderly. These victims may find themselves blindsided as fraudsters create a new identity, apply for credit, and after years of building good credit by making payments for a time, abandon the account without paying anything back to the financial institution.

While this type of fraud is already difficult to detect due to its elusive or “normal” nature, many bad actors go to incredible lengths to appear as such, states Forbes. In addition to establishing good credit by making payments quickly and on time, some create digital profiles or use P.O. boxes for addresses.

Not only has technology and access to the dark web made PII more accessible to fraudsters, in 2011 the Social Security Administration (SSA) began randomizing the nine-digit social security codes rather than assigning them to individuals based on their geographical location and group number. No longer do social security numbers raise red flags when enrolling or opening accounts “out of state.”

As online banking grows in popularity, so too do concerns for synthetic identity theft. Between prevalent phishing schemes and heightened risks for data breaches — accessing PII and conducting synthetic identity fraud has become much easier than in years prior.

How to be Proactive Against Bad Actors

Inconsistent categorization and reporting make it difficult to identify and mitigate this type of fraud — as far as banks and credit bureaus can tell, these individuals are just like anyone else. . . until they “bust out” or abandon the maxed-out account with no intention of repayment.

After abandoning the false identity’s account, a fragmented file is created. This additional file not only becomes associated with the original SSN but also holds the additional credit report information and other fabricated PII. Unfortunately, this information could negatively impact the credit rating of the real individual.

When working with customers, bankers should advise frequent credit report checks or freezing unused credit at credit bureaus throughout the U.S. as to deter criminals or catch them early.

In addition, customers may take additional steps to protect themselves and their family against synthetic identity theft. One way parents can protect their children from fraudsters is by requesting their child be added to their credit profile. By adding a child to an adult’s credit profile, not only does the child’s own credit profile become established in his or her name and SSN, but the child is also able to begin building their credit.

The Cost of Synthetic Fraud

While victims of identity theft typically are not liable for fraudulent purchases or accounts, as long as they can prove they are the real SSN holder and not the thief, banks and other financial institutions are left to absorb the cost. This scheme is not only incredibly costly to banks across the country — with losses estimated at $20 billion in 2020, according to the Federal Reserve Bank of Boston — but gaps in the U.S. Fair Credit Reporting Act may have also increased the likelihood of repeat offenders.

The Federal Reserve has reported that bad actors are able to ‘flood the financial institution with an overwhelming number of claims’ on their fake accounts, and when creditors are unable to fulfill the investigation in the allotted timeframes, the disputed item is removed from the false credit report and time and time again, fraudsters get away with the act.

“Synthetic IDs are a struggle for community banks to identify,” states Lenore Breit, vice president – compliance manager at Wausau’s Prevail Bank. “Based on a recent presentation, [community banks] most likely have synthetic ID fraud in their deposit and loan accounts that remains undetected with traditional third-party ID verification programs that most community banks use.”

“There are other, more robust ID verification programs available to detect synthetic ID fraud,” adds Breit. “But they are costly and may not interface with legacy software.”

One such software program, the electronic Consent Based SSN Verification service, was created in part by the Economic Growth, Regulatory Relief, and Consumer Protection Act. The electronic service offered by the SSA was created in 2018 to aid financial institutions in combating synthetic identity fraud and verify an authorizing individual’s name, date of birth, and SSN against the SSA records. Services are based on the annual transaction volume and can cost thousands or even millions of dollars.

Common Signs of Synthetic Identification Theft

While difficult to trace, there are a few significant ways bankers can remain attentive to PII and other key indicators of synthetic identity fraud.

Most obvious is ensuring all SSNs match to the PII given. Do not assume a name change or relocation; ask questions or require verification for the sake of your bank and the security and privacy of all customers. This extra step could make all the difference in protecting the personal information of every customer.

If an account is already open, bankers should note applicants who have the same contact information or SSN as well as those with multiple authorized users.

As synthetic identity fraud becomes increasingly prevalent throughout the U.S., it is critical, for the safety of customers and security of all financial institutions, that Wisconsin bankers are prepared to combat this emerging fraudulent activity, caution community members against sharing unnecessary personal information with others, and assist individuals in regaining their rightful identity if necessary.

If you are interested in learning more about synthetic identity fraud, how these schemes can impact your bank or customers, or more ways you can take a stand against bad actors, please contact WBA’s Legal Team at wbalegal@wisbank.com or 608-441-1200.

/by
Row of digital locks with glowing lock in middle
,

Ensuring the Safety and Security of Wisconsin Communities

Dan PetersonBy Daniel J. Peterson

As technology continues to advance faster than ever before, the importance of staying up to date on the latest trends and best practices for the safety of both the bank and its customers is quickly becoming the number one concern for Wisconsin bankers.

As the last several years have shown, a growing number of consumers throughout the state rely on technology and online banking for their day-to-day needs. It is critical that, for continued success and relevance of our industry, bankers are aware of not only how best to serve our customers through offering modern banking amenities, but how to best protect our communities from increasingly more sophisticated — and prevalent — fraudsters.

For this purpose, in addition to ensuring that all Wisconsin banks remain a safe, secure place for finances and sensitive information, the Wisconsin Bankers Association (WBA) will once again host a combined Secur-I.T. & BSA/AML Conference. The conference specifically targets BSA/AML, operations, security, and technology banking professionals looking to remain educated on our ever-evolving industry.

This year’s annual conference will be held September 20 and 21 at Glacier Canyon Lodge in Wisconsin Dells and features a unique variety of speakers. From local professionals and WBA Associate Members to world-famous cyber security expert and ethical hacker Bryan Seely, WBA’s Secur-I.T. & BSA/AML Conference will assist banking teams in understanding how best to protect against hackers, what trends to watch for in money laundering, and so much more. This is an event you don’t want to miss!

By engaging in conferences such as WBA’s Secur-I.T. & BSA/AML Conference, bank leaders can ensure their staff is gaining the most relevant and up-to-date banking-related information from the most knowledgeable individuals in the industry. Along with over seven hours of presentations focused on the safety and security of our banks and customers, bankers will enjoy networking with professionals from across the state and meeting with exhibitors offering products and services that help community banks further advance their customer service capabilities.

Please visit wisbank.com/Secur-IT to register or for additional details.

Peterson is president and CEO of The Stephenson National Bank & Trust, Marinette, and the 2022–2023 WBA Chair.

/by
Hooded figure typing on laptop surrounded by strings of binary code
,

See Into the Mind of a Cybercriminal

WBA’s Secur-I.T. & BSA/AML Conference returns in 2022

As cybersecurity and fraud continue to be rising topics of discussion throughout the banking industry, bankers are encouraged to stay informed on the latest trends experts are seeing and how regulations will continue to impact Wisconsin banks by attending WBA’s annual Secur-I.T. & BSA/AML Conference held in Wisconsin Dells.

The two-day conference — beginning September 20 and adjourning at noon on September 21 — draws over 125 BSA/AML, operations, security, and technology professionals from around the state for over seven hours of educational presentations and networking.

This year’s keynote session will feature Bryan Seely, a world-famous cyber security expert, ethical hacker, author, and former U.S. Marine. Seely became one of the most famous hackers in 2014 when he became the only person to ever wiretap the United States Secret Service and FBI. Before he was caught, he confessed to the two agencies that there was an issue that needed to
be fixed.

Unlike many hackers, Seely is passionate about fighting for consumers rights, privacy, and educating the public about how to stay safe in a constantly changing technological landscape. In this keynote session, Seely will highlight the different ways in which hackers think and the new, creative ways professionals must approach security in order to protect the most critical information of the business and customers.

In addition to this captivating keynote speaker, the Secur-I.T. & BSA/ AML Conference offers several breakout sessions and networking opportunities that will assist banking professionals from throughout Wisconsin in further developing their bank’s customer experiences, BSA/ AML program, security, and technology capabilities as the banking and technology industries continue to evolve.

/by
Hooded figure typing on laptop surrounded by strings of binary code
,

Amid Russian Cyberattack Threat, Bankers Focus on Security Measures

By Paul Gores

With cyberattacks on U.S. businesses a possibility as Russia’s war against Ukraine rages on, financial institutions need to make sure their cybersecurity measures are first-rate and up to date, experts say.

The White House has warned that Russia could try to disrupt digital operations and damage the U.S. economy in retaliation for sanctions against Russia after its invasion of Ukraine.

Ransomware attacks on U.S. businesses, some based in Russia, already have been growing in recent years, and recently, the FBI said it discovered and secretly removed malware that hackers from Russia had placed in computer systems worldwide. Some American leaders think Russian President Vladimir Putin still has plans to try to inflict a major cyberattack.

If he does, banks that have been diligent and proactive about protecting their systems from hackers should be less vulnerable to the chaos a cyberattack could cause, experts say.

Banks need to make sure they’ve taken inventory of all of their technology assets and are doing what they can to keep them safe from attackers.

“Know what those assets are — all your software, hardware — and then from there follow your basic cyber hygiene,” said Scott Noles, assistant vice president and information security officer for Mukwonago-based Citizens Bank. “Are they up to date? Have you patched them? Do you have end-of-life software? Do you have anything that’s in your environment that shouldn’t be? Those I think are really mission critical.”

While many assume the Russian government would want to target the biggest banks and core processors to cause the most disruption to the financial system, infiltrating a bank of any size would be a win for attackers, experts say. That’s why it’s important for community banks to ensure techniques cyber crooks often use to bust into an institution’s system, including phishing emails that can be the gateway to a system takeover, will run into a tough defense. Training employees not to respond to infecting emails, whether in the office or working remotely, is one important step.

“Everyone’s digital life, whether it’s at work or at home, is intertwined now,” said Ian McShane, vice president of strategy for the cybersecurity firm Arctic Wolf Networks. “You can get compromised at home and have that lead into your work life as well. Just because you close the door on your laptop at work doesn’t mean you don’t need to remain vigilant. It can be a risk to businesses wherever you are.”

McShane and others stressed that multifactor authentication is crucial. With multifactor identification, users must submit two or more pieces of evidence to verify their identity in order to gain access to a digital resource. An organization must at least make sure that all of its information technology workers are using multifactor authentication.

In addition, McShane said, a bank’s IT pros or security officers should take stock of which machines in the system are accessible from the internet.

“And make sure there is a good reason for those machines to be accessible from the internet as well, because they are going to be the first bastion of adversarial activity,” he said.

Jeff Otteson, vice president of sales for Midwest Bankers Insurance Services, said specialty insurance carriers considering coverage applications from banks are requiring multifactor authentication.

“What the carriers are looking for amongst other internal controls, the big key is multifactor authentication,” he said. “And that multifactor authentication expands to all users, but most important are privileged users which are those users that can access critical systems, install software, and change security settings.”

Otteson said insurers also need to know that critical patches and updates are implemented and deployed, and they want servers and back-ups to be encrypted. Without those measures, “They put themselves at risk,” he said.

Banks must always be diligent and vigilant — and that was expected even before the Russian threat in the wake of the Ukraine invasion.

“There is no institution that’s immune from a potential cyberattack,” Otteson said.

The security measures of vendors that have access to bank data also have to be airtight, said Jeff Kurek, vice president, information services and cyber security for Park Bank in Madison. He said vendors ranging from those managing IT all the way down to the bank’s HVAC company could put a bank at risk if they have access to the internal system.

“We are heavily regulated, we’ve always had information security programs in place, we’ve always been audited,” Kurek said. “But what about our third-party vendors — the vendors that we utilize to provide us our critical services?”

If Russia were to mount a large cyberattack on the U.S., major infrastructure could be key targets, many believe. But cyberattacks could produce side victims like smaller banks. McShane said most incidents are opportunistic.

“They happen because someone clicks on something that they weren’t aware was weaponized, or it was part of another kind of attack or breach or ransomware campaign, and someone has noticed, ‘Hey, we’ve got access to a bank here,’” he said.

While the main goal of a Russian cyberattack would be to disrupt and damage the U.S. and its economy, extortion could be another result. Ransomware thieves normally try to break into an organization that has the insurance coverage and wherewithal to pay a multi-million ransom — an organization like a bank.

Big banks have the money to beef up their defenses in ways that a community bank might not, perhaps leaving the smaller bank more at risk if, say, the bank has let its software age and it no longer is receiving vendor patches to fix vulnerabilities.

“I think the smaller regional banks or city-based institutions don’t have that same luxury of being able to throw money at it,” McShane said.

But experts said no matter what size the bank is, it has to make cyber security a priority and be willing to spend the money to do it. The downside of a breach or extortion is too brutal, they said.

“I believe that any nation states that they’ll (Russia) be attacking, they will go after the biggest targets possible, but they also realize the biggest targets are the ones that are hardest to get into,” said Noles. “So what they’ll be doing is looking at anybody they can get into.”

The No. 1 method of attack still is phishing.

“They are trying to send you a link to see if they can get somebody to click on it, because then they can get credentials, they can get inside environments, they can install malware,” Noles said.

The cost of cybersecurity is increasing, but that’s just reality in today’s increasingly tech-driven world, experts say.

Otteson cited a Financial Crimes Enforcement Network (FinCEN) report showing that during the first half of 2021, financial institutions reported 635 suspicious ransomware-related activities, or 30% more than all reported activity in 2020. FinCEN said more than $590 million in payments tied to ransomware attacks occurred in the first six months of 2021, up from $416 million in all of 2020.

“(Insurance) rates are going up on these lines because the claims have been going up,” Otteson said.

Noles said vendors also can drive up the cost of cybersecurity by pushing new products. Many banks would be better off making sure they are effectively using capabilities of tools they already have purchased, he said.

“What do vendors have to do? They have to sell a new product. They have to sell a new blinky box or a new tool,” Noles said. “So they’re using what I call FUD — fear, uncertainty, and doubt — to get you to spend more money on their products.”

There’s no question cybersecurity costs will continue to rise.

“Probably eight years ago I saw an article of some sort that said ‘bringing IT from the backroom to the board room.’ That sort of stuck with me,” Kurek said. “And what that really means is that cybersecurity should be a strategy to the organization. It’s not just a keep-the-lights-on thing anymore. Cybersecurity is huge. It’s an inherent risk at this point to any company, and it should really be part of your overall company strategy in my opinion.”

If an incident takes place, banks also need to have a solid communication plan for reacting to it, making sure their lawyers, regulators, law enforcement, and customers are informed as promptly as possible.

“They should have a business continuity plan, and they should have an instant response plan, and they should be updating those regularly and they should be testing them regularly,” Kurek said. “And what a better time to test than now.”

Said McShane: “Nothing is more important in security than understanding you’re going to have an incident at some point, and it’s better to be prepared to know what to do when it happens.

Paul Gores is a journalist who covered business news for the Milwaukee Journal Sentinel for 20 years.

Midwest Bankers Insurance Services is a WBA Gold Associate Member.

Arctic Wolf Networks is a WBA Bronze Associate Member.

/by
Row of digital locks with glowing lock in middle

The Evolution of Information Technology

Thank You, Ken Shaurette, for 13 Years at FIPCO!

By Hannah Flanders

On December 31, 2021 Ken Shaurette retired from FIPCO’s Information Security and Audit Services after 13 years with the company. Shaurette launched his IT career in 1976 after completing his associates degree in data processing. Over the past two decades, he has also garnered a collection of training courses through venders and trade schools as well as certifications by the National Security Agency (NSA) in Information Assessment Methodology. In 2008, Shaurette was hired at FIPCO to build the Information Security and Audit Service from the ground up as its director.

Shaurette shared reflections on how the industry has changed over his decades of experience. When his career began, data was stored centrally in large computer data centers. Slowly, the industry began to give more processing power and ability to manipulate data to users and as the data became increasingly decentralized, security professionals had to establish improved policies and information security programs that addressed data no longer being stored in a big computer center, but out at the desktops anywhere in the company.

As data collection and storage abilities improved, not only did it become more difficult for all the information to be properly secured, it became increasingly important. Regulations have been created today in order to meet the expectation that customer data is equally protected no matter the size of the bank. “Information security [must continue to be] part of our individual and our companies DNA” says Shaurette. “Without security controls, your business can’t grow quickly.”

Shaurette’s perspective has allowed him to help banks throughout Wisconsin protect themselves against serious attacks that could in turn affect growth, reliability, and profits. Shaurette notes that “when it comes to information security 80% is the same regardless of [the] industry when securing the data, 15% is unique to the [banking] industry, and probably 5% is the social atmosphere of [each bank].”

“Over the course of the years, his expertise and service have been greatly appreciated and well-respected by our customers and members,” says Pam Kelly, president of FIPCO. “His passion and unfailing dedication to information security and our members has helped hundreds of bankers keep critical data secure, avoid attackers, and meet the needs of their own communities. Thank you, Ken, for 13 years!”

In his retirement, Shaurette looks forward to spending time with his grandchildren, volunteering, and — he jokes — not writing audit reports. However, he leaves FIPCO customers with one last message in appreciation over that last 13 years, “I may be boating off into the sunset, but the sunrise of a new generation is transitioning behind me, and you will be left in very good hands with Rob Foxx. I’ll be waiting for you to show up for an information security peer group meeting or networking round table on the pontoon boat someday soon. Those that know me, the refreshments are always ready.”

/by
Digital locks representing cybersecurity
, ,

What Community Banks Need to Know About Ransomware Attacks

By Cassandra Krause 

With a recent uptick in activity, ransomware attacks are a form of cyberattack that has been prevalent in recent news — and for good reason. The effects can be detrimental in terms of monetary loss and reputational damage to the victim. Ransomware is a type of malicious software (a.k.a. malware) that usually encrypts a victim’s files, and the bad actors have upped their game to steal the data first, then threaten to also publish the data to the public. Criminals set their sights on businesses with the goal of extorting money, making community banks prime targets. 

Organized crime networks are becoming increasingly sophisticated. In general, the risk of getting caught for cybercrimes is much lower than for traditional crimes like robbery, and the financial gains are far higher. Ransomware developers write and sell the software to other bad actors for a cut of the profits when they deploy it and collect ransom payment, usually in the form of cryptocurrency, which is hard to trace. Compromised data may also be used to open fraudulent lines of credit. 

“The U.S. is in a ransomware crisis right now,” said Jeff Otteson, vice president of sales at Midwest Bankers Insurance Services (MBIS), a subsidiary of the Wisconsin Bankers Association. He explained that it has created a hard insurance market with carriers tightening up on internal control requirements such as multifactor authentication (MFA) for privileged users (users with the ability to install software or change security settings on critical systems) and encryption of backups. 

In their 2021 Cost of a Data Breach Report, IBM Security and the Ponemon Institute calculate that the average total cost of a data breach is $4.24 million, a 10% increase from 2020–2021. The per-record cost of personally identifiable information averaged $180. 

Prevention 

With the incredibly high stakes in mind, banks are dedicating significant resources to preventing malicious cyberactivity, both in terms of staff and money. Respondents to a 2020 Deloitte survey of financial institutions reported spending about 10.9% of their IT budget on cybersecurity on average, up from 10.1% in 2019. In terms of spending per employee, respondents spent about $2,700 on average per full-time employee (FTE) on cybersecurity in 2020, up from about $2,300 the prior year. 

“There is an industry-standard framework for ransomware prevention and all cybersecurity,” explained FIPCO’s Director InfoSec and Audit Ken Shaurette. FIPCO is also a WBA subsidiary. A good consultant will walk the bank through a comprehensive review of their network security, improving endpoint protection to replace traditional antivirus and endpoint detection solutions, including adding authentication improvements such as MFA, improved password strength, and protecting backups. As more and more of the digital tools that bankers utilize require users to download and install software and updates, depending on signature-based solutions for malware detection is not acceptable — it has become critical to safeguard user, file, network, and device-level activities. 

A bad actor gaining access to a bank’s data may encrypt the data and demand payment in exchange for granting access back to the bank. In this situation, having a data backup is essential.  

“The rule of thumb for data backups is 3-2-1,” said FIPCO Information Security and IT Audit Advisor Rob Foxx. “There should be three copies of all data stored on two different mediums. One of the copies should be stored off site.” 

Ransomware prevention is only one part of a complete cybersecurity system. Experts agree that early detection of unusual activity within a system can help keep a minor incident from quickly escalating into a major incident like a ransomware threat. 

“Ransomware isn’t the first attack,” said Wolf & Company, P.C. Manager of the I.T. Assurance Group Sean Goodwin, who recently presented at WBA’s Secur-I.T. Conference. “Ultimately, it’s on I.T. to put controls in place because an employee will inevitably fall for a phishing email. It becomes a question of whether we can catch that quickly.” 

Social engineering remains the greatest concern; it’s easier for bad actors to trick an employee rather than break through a firewall. Verizon’s 2021 Data Breach Investigations Report found that almost half of the breaches in the financial services industry involved internal actors committing various types of errors. The report stated that the financial sector frequently faces credential and ransomware attacks from external actors, 96% of which are financially motivated (followed by small percentages of motives of espionage, grudge, fun, and ideology). 

Goodwin emphasized that I.T. must be able to act quickly when there’s an indication that someone is accessing something they don’t normally access. “Prevention is ideal. If we can prevent it, that’s best-case scenario, but if not, early detection becomes critical,” he said. This area of solution, known as endpoint detection and response, is rapidly becoming a key point of protection from ransomware and all other malicious events. 

Establishing an incident response program within a bank is an important part of the overall cybersecurity program. 

Preparation 

Creating a culture of cybersecurity awareness throughout the bank is important, so that bank employees are prepared for an incident. Employee training on what to do in the event of an attack should be standard practice. Making security part of the organization’s DNA is a best practice. 

“Every bank needs an incident response plan, and that needs to be approved all the way up through the board. Part of this plan is notification of incidents to the insurance carrier,” said MBIS’s Otteson. 

FIPCO’s Foxx emphasized that the roles and responsibilities in the incident response plan must be clearly defined, and banks should revisit their plan regularly.  

“As the insurance agent, I’m the first call a bank makes when there’s an incident,” said Otteson. “It’s important that banks choose to work with an agency that understands cyber insurance.”  

MBIS insures about 220 banks and has access to a large number of carriers that provide the right coverage for their customers. Otteson recommends reporting all incidents as even a minor incident could result in a claim down the line and having reported that incident when it occurred is key to a successful claim. He says to keep in mind that the owner of the data is liable for it whether the incident occurred in house or with a vendor the bank shared customer data with. 

Mitigation 

It’s important to work with the insurance carrier to ensure that all the bases are covered and that the vendors who participate in the response are approved. Not using the cyber insurance carrier’s approved vendors may result in expenses not being covered under the insurance policy. In the event of a ransomware attack, the insurance agent or bank will immediately notify the insurance carrier. Beazley, a carrier partner of MBIS, maintains a 24/7 helpline, which has become common with other carriers as well. Knowing how to report incidents, when to report, and what to expect is key. 

Holidays and weekends are prime times for ransomware attacks: employees who are in a rush to leave may be more likely to click on a bad link, and with employees away from work, it’s easier for the bad actors to get into the network. Even if a problem is detected, it’s more likely that staff who could help put a stop to the attack may be on vacation or unavailable, buying the criminals more time to take over. 

As soon as a cyber liability claim is made, the insurance carrier’s pre-approved vendors come into play.  

“Nobody has the resources in house to effectively manage ransomware attacks,” said Foxx, who has experience working both within a bank and as an external auditor and consultant. The specialization of skills and the amount of people needed to perform adequate analysis and remediation are so significant that even large banks will not have all the players they need on staff. 

If a bank’s data becomes encrypted and made inaccessible, a vendor such as Tetra Defense would be engaged on forensics. Managed endpoint detection and response vendors such as Cynet can help from detection and prevention to response, including providing digital evidence for a vendor performing forensics. Meanwhile, a vendor such as Coveware would handle ransom negotiations with the criminals. Wolf & Company, P.C.’s Goodwin said that you don’t really know who’s on the other side of the transaction — some criminals may be willing to negotiate and others not. He referred to ransomware as a “niche space in cybersecurity that is now getting more attention.” The criminal organizations involved in these types of attacks in some ways act like a legitimate business in that they rely on their reputation and may even have customer service departments — if they fail, it will hurt their chances of getting more business in the future.  

Typically, in the event of a ransomware attack, a legal firm will handle communications and PR for the bank — putting a statement on the bank’s website, assisting staff with customer phone calls, and determining whom to notify. Getting legal involved early protects all communications and discovery with attorney-client privilege. The requirements for notification vary from state to state, and a bank may have customers in multiple states or even other countries, making the expertise of a legal team invaluable. The language used in communications matters, as the term “breach,” for example, can have different legal implications and potentially create larger issues than terms like “incident,” “situation,” or “event.” Education of staff far in advance using regular testing of the plan is a key factor in mitigating an incident. Inappropriate statements made by employees on social media or even at informal social gatherings can have severe ramifications for the bank. 

Follow Up 

While anyone who experiences a ransomware attack may be eager to breathe a sigh of relief and move on when it is over, it is essential to review the incident and revise the bank’s incidence response plan. Assessing what went well and what needs to be improved are critical steps.  

Goodwin also warns that victims of ransomware are commonly re-targeted. A Cybereason study found that 80% of organizations that previously paid ransom demands confirmed they were exposed to a second attack. He said that once a company has paid a ransom it is known that (1) you were compromised, (2) you do not have proper backups of your files, and (3) you were willing to pay. 

Summary 

Cyberattacks are the biggest risk to a financial institution — even surpassing the risk of past-due loans. The cost of a ransomware attack can be astronomical, with many factors contributing to the price tag, including vendor fees and staff hours to resolve the issue; the cost to inform customers and offer identity or other protections; the loss of destructed data; and the down time of the business. All of this, followed by the loss of customers’ trust (and subsequent loss of their business), has the potential to put a community bank out of business.  

There are safeguards banks can put in place, including a sound incident response plan, improved monitoring with better endpoint detection and response, cyber liability coverage, and employee education. FIPCOMBIS, and a wide range of WBA Associate Members are ready to support banks in keeping their data and that of their customers safe.  

/by

Will Wisconsin Tackle Regulating Cryptocurrency and Blockchain?

To date, while some federal agencies have made public statements, Congress has not exercised its constitutional power under the commerce clause to regulate cryptocurrencies and blockchain technology to the exclusion of the states. This means that the states remain free to enforce their own legislation. Sixteen states have enacted legislation related to virtual currency or cryptocurrencies and nine states have enacted or adopted laws that reference blockchain technology. 

To help assist lawmakers (and the general public), the State of Wisconsin Legislative Reference Bureau (LRB) created a summary that highlights the responses of major economic players as well as innovative practices on cryptocurrency and blockchain technologies. The report is designed to help gain a broad perspective of the current global regulatory market and the breadth of proposals for further policy and legislative guidance. Cryptocurrency, a subset of digital currency, is held up by some as the "currency of the future," and the technology that allows its existence could revolutionize business and government. 

As cryptocurrency becomes more mainstream, governments around the world have taken the first steps toward regulation; however, advances in technology frequently outpace legislation. The LRB report describes the principal characteristics of cryptocurrencies and the underlying technology that enables its existence-decentralized, distributed ledgers based on blockchains. The report then details recent developments in regulations in the United States by various federal regulatory and enforcement agencies and the most relevant case law. Finally, the report explores developments at the state level and summarizes the global regulatory landscape of international responses to the regulation of cryptocurrency. 

How Blockchains Work: A Sample Case Study

  1. Charlotte and Susie download digital wallets, providing the encryption keys necessary for the transaction. 
  2. Charlotte creates a message requesting a $15 transaction to repay Susie for dinner. The message is encrypted using Susie's public key, ensuring that only Susie can decrypt the message using her private key. The message also includes Charlotte's private key to validate her status as the initiating entity.
  3. The message is broadcast to a peer-to-peer (P2P) network consisting of private computers, or nodes. 
  4. The network validates the transaction and Charlotte's user status, then records and time-stamps it to verify that the cryptocurrency has changed possession. 
  5. The transaction is combined with other transactions to create a new block of data for the ledger.
  6. The new block of data is added to the existing blockchain in a way that is permanent and unalterable.

If you'd like to read the full LRB report please visit www.banconomics.com.

By, Amber Seitz

/by

Identity Theft Protection for Kids: What Parents Can Do

The Wisconsin Bankers Association offers for your use the following consumer education column. Your bank is free to use this as a community column in your local newspaper, a letter to the editor, a press release or in any other way you see fit. The purpose is to give our members an easy-to-use tool for promoting the banking industry to Wisconsin's communities.

Identity theft is on the top of many consumers' minds these days, with new data breaches announced seemingly weekly. As masses of Americans turn to credit monitoring, fraud alerts, and other solutions to prevent their identities from being stolen, one group sometimes slips through the cracks: children. Parents: don't forget that your child has a social security number, so their identity could be stolen and used to take out fraudulent loans that could damage their ability to buy a car, get student loans, rent an apartment, or even get a job in the future. Below are some steps to consider to help protect your children from ID theft: 

Watch for red flags.
First, keep an eye out for common signs that your child's identity has been used to obtain credit. These include an influx of mailed credit card and/or loan offers addressed to your child, a notice from the IRS that your child didn't pay income tax or was claimed as a dependent, and collections calls for bills addressed to your child. When your child gets older, being denied a bank account, driver's license, or government benefits (such as Medicaid) are also indications that their identity may have been stolen. 

Check your child's credit report.
The next step to take is similar to what you would do to protect your own identity: check their credit report. It's a bit more complex when the credit report you're requesting is your child's (versus your own), but it is an important step. Contact the major credit bureaus (Equifax, Experian, and TransUnion) to find out the specific documentation they require. You'll likely need to mail in copies of your child's birth certificate and/or their Social Security card, as well as a copy of your own ID. Keep in mind that your child may not have a credit report-and that's a good thing! It means your child's identity has not been used by criminals to obtain credit in their name. 

Consider a credit freeze.
If you find that your child has a credit report, consider placing a freeze on it. This is especially important to consider if your child's identity has been stolen, since it will help prevent future instances of their information being used to obtain credit. Wisconsin's Child Credit Protection Act allows parents and legal guardians to place a freeze on their child's credit record. By freezing their credit with each of the major credit bureaus, you will prevent criminals from taking out credit using your child's identity. Each credit bureau has a different process for freezing credit, so contact them to find out the steps if you are interest in a credit freeze for your child(ren). Keep in mind, the bureaus charge a fee to freeze and unfreeze credit, so you'll want to consider how close your child is to legitimate credit requests (such as student loans or a first credit card) before taking this step. 

If you suspect your child's identity has been stolen, visit www.identitytheft.gov for step-by-step guidance on what to do next. 

An archive of Consumer Columns is available online at www.wisbank.com/ConsumerColumns.

By, Amber Seitz

/by
Wisconsin Bankers Association logo

questions@wisbank.com

608-441-1200

4721 S Biltmore Ln.
Madison, WI 53718

Get our Newsletter!
Subscribe