Posts

WBA’s Secur-I.T. & BSA/AML Conference returns in 2022

As cybersecurity and fraud continue to be rising topics of discussion throughout the banking industry, bankers are encouraged to stay informed on the latest trends experts are seeing and how regulations will continue to impact Wisconsin banks by attending WBA’s annual Secur-I.T. & BSA/AML Conference held in Wisconsin Dells.

The two-day conference — beginning September 20 and adjourning at noon on September 21 — draws over 125 BSA/AML, operations, security, and technology professionals from around the state for over seven hours of educational presentations and networking.

This year’s keynote session will feature Bryan Seely, a world-famous cyber security expert, ethical hacker, author, and former U.S. Marine. Seely became one of the most famous hackers in 2014 when he became the only person to ever wiretap the United States Secret Service and FBI. Before he was caught, he confessed to the two agencies that there was an issue that needed to
be fixed.

Unlike many hackers, Seely is passionate about fighting for consumers rights, privacy, and educating the public about how to stay safe in a constantly changing technological landscape. In this keynote session, Seely will highlight the different ways in which hackers think and the new, creative ways professionals must approach security in order to protect the most critical information of the business and customers.

In addition to this captivating keynote speaker, the Secur-I.T. & BSA/ AML Conference offers several breakout sessions and networking opportunities that will assist banking professionals from throughout Wisconsin in further developing their bank’s customer experiences, BSA/ AML program, security, and technology capabilities as the banking and technology industries continue to evolve.

By Paul Gores

With cyberattacks on U.S. businesses a possibility as Russia’s war against Ukraine rages on, financial institutions need to make sure their cybersecurity measures are first-rate and up to date, experts say.

The White House has warned that Russia could try to disrupt digital operations and damage the U.S. economy in retaliation for sanctions against Russia after its invasion of Ukraine.

Ransomware attacks on U.S. businesses, some based in Russia, already have been growing in recent years, and recently, the FBI said it discovered and secretly removed malware that hackers from Russia had placed in computer systems worldwide. Some American leaders think Russian President Vladimir Putin still has plans to try to inflict a major cyberattack.

If he does, banks that have been diligent and proactive about protecting their systems from hackers should be less vulnerable to the chaos a cyberattack could cause, experts say.

Banks need to make sure they’ve taken inventory of all of their technology assets and are doing what they can to keep them safe from attackers.

“Know what those assets are — all your software, hardware — and then from there follow your basic cyber hygiene,” said Scott Noles, assistant vice president and information security officer for Mukwonago-based Citizens Bank. “Are they up to date? Have you patched them? Do you have end-of-life software? Do you have anything that’s in your environment that shouldn’t be? Those I think are really mission critical.”

While many assume the Russian government would want to target the biggest banks and core processors to cause the most disruption to the financial system, infiltrating a bank of any size would be a win for attackers, experts say. That’s why it’s important for community banks to ensure techniques cyber crooks often use to bust into an institution’s system, including phishing emails that can be the gateway to a system takeover, will run into a tough defense. Training employees not to respond to infecting emails, whether in the office or working remotely, is one important step.

“Everyone’s digital life, whether it’s at work or at home, is intertwined now,” said Ian McShane, vice president of strategy for the cybersecurity firm Arctic Wolf Networks. “You can get compromised at home and have that lead into your work life as well. Just because you close the door on your laptop at work doesn’t mean you don’t need to remain vigilant. It can be a risk to businesses wherever you are.”

McShane and others stressed that multifactor authentication is crucial. With multifactor identification, users must submit two or more pieces of evidence to verify their identity in order to gain access to a digital resource. An organization must at least make sure that all of its information technology workers are using multifactor authentication.

In addition, McShane said, a bank’s IT pros or security officers should take stock of which machines in the system are accessible from the internet.

“And make sure there is a good reason for those machines to be accessible from the internet as well, because they are going to be the first bastion of adversarial activity,” he said.

Jeff Otteson, vice president of sales for Midwest Bankers Insurance Services, said specialty insurance carriers considering coverage applications from banks are requiring multifactor authentication.

“What the carriers are looking for amongst other internal controls, the big key is multifactor authentication,” he said. “And that multifactor authentication expands to all users, but most important are privileged users which are those users that can access critical systems, install software, and change security settings.”

Otteson said insurers also need to know that critical patches and updates are implemented and deployed, and they want servers and back-ups to be encrypted. Without those measures, “They put themselves at risk,” he said.

Banks must always be diligent and vigilant — and that was expected even before the Russian threat in the wake of the Ukraine invasion.

“There is no institution that’s immune from a potential cyberattack,” Otteson said.

The security measures of vendors that have access to bank data also have to be airtight, said Jeff Kurek, vice president, information services and cyber security for Park Bank in Madison. He said vendors ranging from those managing IT all the way down to the bank’s HVAC company could put a bank at risk if they have access to the internal system.

“We are heavily regulated, we’ve always had information security programs in place, we’ve always been audited,” Kurek said. “But what about our third-party vendors — the vendors that we utilize to provide us our critical services?”

If Russia were to mount a large cyberattack on the U.S., major infrastructure could be key targets, many believe. But cyberattacks could produce side victims like smaller banks. McShane said most incidents are opportunistic.

“They happen because someone clicks on something that they weren’t aware was weaponized, or it was part of another kind of attack or breach or ransomware campaign, and someone has noticed, ‘Hey, we’ve got access to a bank here,’” he said.

While the main goal of a Russian cyberattack would be to disrupt and damage the U.S. and its economy, extortion could be another result. Ransomware thieves normally try to break into an organization that has the insurance coverage and wherewithal to pay a multi-million ransom — an organization like a bank.

Big banks have the money to beef up their defenses in ways that a community bank might not, perhaps leaving the smaller bank more at risk if, say, the bank has let its software age and it no longer is receiving vendor patches to fix vulnerabilities.

“I think the smaller regional banks or city-based institutions don’t have that same luxury of being able to throw money at it,” McShane said.

But experts said no matter what size the bank is, it has to make cyber security a priority and be willing to spend the money to do it. The downside of a breach or extortion is too brutal, they said.

“I believe that any nation states that they’ll (Russia) be attacking, they will go after the biggest targets possible, but they also realize the biggest targets are the ones that are hardest to get into,” said Noles. “So what they’ll be doing is looking at anybody they can get into.”

The No. 1 method of attack still is phishing.

“They are trying to send you a link to see if they can get somebody to click on it, because then they can get credentials, they can get inside environments, they can install malware,” Noles said.

The cost of cybersecurity is increasing, but that’s just reality in today’s increasingly tech-driven world, experts say.

Otteson cited a Financial Crimes Enforcement Network (FinCEN) report showing that during the first half of 2021, financial institutions reported 635 suspicious ransomware-related activities, or 30% more than all reported activity in 2020. FinCEN said more than $590 million in payments tied to ransomware attacks occurred in the first six months of 2021, up from $416 million in all of 2020.

“(Insurance) rates are going up on these lines because the claims have been going up,” Otteson said.

Noles said vendors also can drive up the cost of cybersecurity by pushing new products. Many banks would be better off making sure they are effectively using capabilities of tools they already have purchased, he said.

“What do vendors have to do? They have to sell a new product. They have to sell a new blinky box or a new tool,” Noles said. “So they’re using what I call FUD — fear, uncertainty, and doubt — to get you to spend more money on their products.”

There’s no question cybersecurity costs will continue to rise.

“Probably eight years ago I saw an article of some sort that said ‘bringing IT from the backroom to the board room.’ That sort of stuck with me,” Kurek said. “And what that really means is that cybersecurity should be a strategy to the organization. It’s not just a keep-the-lights-on thing anymore. Cybersecurity is huge. It’s an inherent risk at this point to any company, and it should really be part of your overall company strategy in my opinion.”

If an incident takes place, banks also need to have a solid communication plan for reacting to it, making sure their lawyers, regulators, law enforcement, and customers are informed as promptly as possible.

“They should have a business continuity plan, and they should have an instant response plan, and they should be updating those regularly and they should be testing them regularly,” Kurek said. “And what a better time to test than now.”

Said McShane: “Nothing is more important in security than understanding you’re going to have an incident at some point, and it’s better to be prepared to know what to do when it happens.

Paul Gores is a journalist who covered business news for the Milwaukee Journal Sentinel for 20 years.

Midwest Bankers Insurance Services is a WBA Gold Associate Member.

Arctic Wolf Networks is a WBA Bronze Associate Member.

Thank You, Ken Shaurette, for 13 Years at FIPCO!

By Hannah Flanders

On December 31, 2021 Ken Shaurette retired from FIPCO’s Information Security and Audit Services after 13 years with the company. Shaurette launched his IT career in 1976 after completing his associates degree in data processing. Over the past two decades, he has also garnered a collection of training courses through venders and trade schools as well as certifications by the National Security Agency (NSA) in Information Assessment Methodology. In 2008, Shaurette was hired at FIPCO to build the Information Security and Audit Service from the ground up as its director.

Shaurette shared reflections on how the industry has changed over his decades of experience. When his career began, data was stored centrally in large computer data centers. Slowly, the industry began to give more processing power and ability to manipulate data to users and as the data became increasingly decentralized, security professionals had to establish improved policies and information security programs that addressed data no longer being stored in a big computer center, but out at the desktops anywhere in the company.

As data collection and storage abilities improved, not only did it become more difficult for all the information to be properly secured, it became increasingly important. Regulations have been created today in order to meet the expectation that customer data is equally protected no matter the size of the bank. “Information security [must continue to be] part of our individual and our companies DNA” says Shaurette. “Without security controls, your business can’t grow quickly.”

Shaurette’s perspective has allowed him to help banks throughout Wisconsin protect themselves against serious attacks that could in turn affect growth, reliability, and profits. Shaurette notes that “when it comes to information security 80% is the same regardless of [the] industry when securing the data, 15% is unique to the [banking] industry, and probably 5% is the social atmosphere of [each bank].”

“Over the course of the years, his expertise and service have been greatly appreciated and well-respected by our customers and members,” says Pam Kelly, president of FIPCO. “His passion and unfailing dedication to information security and our members has helped hundreds of bankers keep critical data secure, avoid attackers, and meet the needs of their own communities. Thank you, Ken, for 13 years!”

In his retirement, Shaurette looks forward to spending time with his grandchildren, volunteering, and — he jokes — not writing audit reports. However, he leaves FIPCO customers with one last message in appreciation over that last 13 years, “I may be boating off into the sunset, but the sunrise of a new generation is transitioning behind me, and you will be left in very good hands with Rob Foxx. I’ll be waiting for you to show up for an information security peer group meeting or networking round table on the pontoon boat someday soon. Those that know me, the refreshments are always ready.”

Cybersecurity graphic

By Cassandra Krause 

With a recent uptick in activity, ransomware attacks are a form of cyberattack that has been prevalent in recent news — and for good reason. The effects can be detrimental in terms of monetary loss and reputational damage to the victim. Ransomware is a type of malicious software (a.k.a. malware) that usually encrypts a victim’s files, and the bad actors have upped their game to steal the data first, then threaten to also publish the data to the public. Criminals set their sights on businesses with the goal of extorting money, making community banks prime targets. 

Organized crime networks are becoming increasingly sophisticated. In general, the risk of getting caught for cybercrimes is much lower than for traditional crimes like robbery, and the financial gains are far higher. Ransomware developers write and sell the software to other bad actors for a cut of the profits when they deploy it and collect ransom payment, usually in the form of cryptocurrency, which is hard to trace. Compromised data may also be used to open fraudulent lines of credit. 

“The U.S. is in a ransomware crisis right now,” said Jeff Otteson, vice president of sales at Midwest Bankers Insurance Services (MBIS), a subsidiary of the Wisconsin Bankers Association. He explained that it has created a hard insurance market with carriers tightening up on internal control requirements such as multifactor authentication (MFA) for privileged users (users with the ability to install software or change security settings on critical systems) and encryption of backups. 

In their 2021 Cost of a Data Breach Report, IBM Security and the Ponemon Institute calculate that the average total cost of a data breach is $4.24 million, a 10% increase from 2020–2021. The per-record cost of personally identifiable information averaged $180. 

Prevention 

With the incredibly high stakes in mind, banks are dedicating significant resources to preventing malicious cyberactivity, both in terms of staff and money. Respondents to a 2020 Deloitte survey of financial institutions reported spending about 10.9% of their IT budget on cybersecurity on average, up from 10.1% in 2019. In terms of spending per employee, respondents spent about $2,700 on average per full-time employee (FTE) on cybersecurity in 2020, up from about $2,300 the prior year. 

“There is an industry-standard framework for ransomware prevention and all cybersecurity,” explained FIPCO’s Director InfoSec and Audit Ken Shaurette. FIPCO is also a WBA subsidiary. A good consultant will walk the bank through a comprehensive review of their network security, improving endpoint protection to replace traditional antivirus and endpoint detection solutions, including adding authentication improvements such as MFA, improved password strength, and protecting backups. As more and more of the digital tools that bankers utilize require users to download and install software and updates, depending on signature-based solutions for malware detection is not acceptable — it has become critical to safeguard user, file, network, and device-level activities. 

A bad actor gaining access to a bank’s data may encrypt the data and demand payment in exchange for granting access back to the bank. In this situation, having a data backup is essential.  

“The rule of thumb for data backups is 3-2-1,” said FIPCO Information Security and IT Audit Advisor Rob Foxx. “There should be three copies of all data stored on two different mediums. One of the copies should be stored off site.” 

Ransomware prevention is only one part of a complete cybersecurity system. Experts agree that early detection of unusual activity within a system can help keep a minor incident from quickly escalating into a major incident like a ransomware threat. 

“Ransomware isn’t the first attack,” said Wolf & Company, P.C. Manager of the I.T. Assurance Group Sean Goodwin, who recently presented at WBA’s Secur-I.T. Conference. “Ultimately, it’s on I.T. to put controls in place because an employee will inevitably fall for a phishing email. It becomes a question of whether we can catch that quickly.” 

Social engineering remains the greatest concern; it’s easier for bad actors to trick an employee rather than break through a firewall. Verizon’s 2021 Data Breach Investigations Report found that almost half of the breaches in the financial services industry involved internal actors committing various types of errors. The report stated that the financial sector frequently faces credential and ransomware attacks from external actors, 96% of which are financially motivated (followed by small percentages of motives of espionage, grudge, fun, and ideology). 

Goodwin emphasized that I.T. must be able to act quickly when there’s an indication that someone is accessing something they don’t normally access. “Prevention is ideal. If we can prevent it, that’s best-case scenario, but if not, early detection becomes critical,” he said. This area of solution, known as endpoint detection and response, is rapidly becoming a key point of protection from ransomware and all other malicious events. 

Establishing an incident response program within a bank is an important part of the overall cybersecurity program. 

Preparation 

Creating a culture of cybersecurity awareness throughout the bank is important, so that bank employees are prepared for an incident. Employee training on what to do in the event of an attack should be standard practice. Making security part of the organization’s DNA is a best practice. 

“Every bank needs an incident response plan, and that needs to be approved all the way up through the board. Part of this plan is notification of incidents to the insurance carrier,” said MBIS’s Otteson. 

FIPCO’s Foxx emphasized that the roles and responsibilities in the incident response plan must be clearly defined, and banks should revisit their plan regularly.  

“As the insurance agent, I’m the first call a bank makes when there’s an incident,” said Otteson. “It’s important that banks choose to work with an agency that understands cyber insurance.”  

MBIS insures about 220 banks and has access to a large number of carriers that provide the right coverage for their customers. Otteson recommends reporting all incidents as even a minor incident could result in a claim down the line and having reported that incident when it occurred is key to a successful claim. He says to keep in mind that the owner of the data is liable for it whether the incident occurred in house or with a vendor the bank shared customer data with. 

Mitigation 

It’s important to work with the insurance carrier to ensure that all the bases are covered and that the vendors who participate in the response are approved. Not using the cyber insurance carrier’s approved vendors may result in expenses not being covered under the insurance policy. In the event of a ransomware attack, the insurance agent or bank will immediately notify the insurance carrier. Beazley, a carrier partner of MBIS, maintains a 24/7 helpline, which has become common with other carriers as well. Knowing how to report incidents, when to report, and what to expect is key. 

Holidays and weekends are prime times for ransomware attacks: employees who are in a rush to leave may be more likely to click on a bad link, and with employees away from work, it’s easier for the bad actors to get into the network. Even if a problem is detected, it’s more likely that staff who could help put a stop to the attack may be on vacation or unavailable, buying the criminals more time to take over. 

As soon as a cyber liability claim is made, the insurance carrier’s pre-approved vendors come into play.  

“Nobody has the resources in house to effectively manage ransomware attacks,” said Foxx, who has experience working both within a bank and as an external auditor and consultant. The specialization of skills and the amount of people needed to perform adequate analysis and remediation are so significant that even large banks will not have all the players they need on staff. 

If a bank’s data becomes encrypted and made inaccessible, a vendor such as Tetra Defense would be engaged on forensics. Managed endpoint detection and response vendors such as Cynet can help from detection and prevention to response, including providing digital evidence for a vendor performing forensics. Meanwhile, a vendor such as Coveware would handle ransom negotiations with the criminals. Wolf & Company, P.C.’s Goodwin said that you don’t really know who’s on the other side of the transaction — some criminals may be willing to negotiate and others not. He referred to ransomware as a “niche space in cybersecurity that is now getting more attention.” The criminal organizations involved in these types of attacks in some ways act like a legitimate business in that they rely on their reputation and may even have customer service departments — if they fail, it will hurt their chances of getting more business in the future.  

Typically, in the event of a ransomware attack, a legal firm will handle communications and PR for the bank — putting a statement on the bank’s website, assisting staff with customer phone calls, and determining whom to notify. Getting legal involved early protects all communications and discovery with attorney-client privilege. The requirements for notification vary from state to state, and a bank may have customers in multiple states or even other countries, making the expertise of a legal team invaluable. The language used in communications matters, as the term “breach,” for example, can have different legal implications and potentially create larger issues than terms like “incident,” “situation,” or “event.” Education of staff far in advance using regular testing of the plan is a key factor in mitigating an incident. Inappropriate statements made by employees on social media or even at informal social gatherings can have severe ramifications for the bank. 

Follow Up 

While anyone who experiences a ransomware attack may be eager to breathe a sigh of relief and move on when it is over, it is essential to review the incident and revise the bank’s incidence response plan. Assessing what went well and what needs to be improved are critical steps.  

Goodwin also warns that victims of ransomware are commonly re-targeted. A Cybereason study found that 80% of organizations that previously paid ransom demands confirmed they were exposed to a second attack. He said that once a company has paid a ransom it is known that (1) you were compromised, (2) you do not have proper backups of your files, and (3) you were willing to pay. 

Summary 

Cyberattacks are the biggest risk to a financial institution — even surpassing the risk of past-due loans. The cost of a ransomware attack can be astronomical, with many factors contributing to the price tag, including vendor fees and staff hours to resolve the issue; the cost to inform customers and offer identity or other protections; the loss of destructed data; and the down time of the business. All of this, followed by the loss of customers’ trust (and subsequent loss of their business), has the potential to put a community bank out of business.  

There are safeguards banks can put in place, including a sound incident response plan, improved monitoring with better endpoint detection and response, cyber liability coverage, and employee education. FIPCOMBIS, and a wide range of WBA Associate Members are ready to support banks in keeping their data and that of their customers safe.  

For the first time, this year WBA’s Secur-I.T. Conference will be combined with the annual BSA/AML Conference! These meetings — which cover many functions of a bank such as Bank Security Act (BSA)/Anti-Money Laundering (AML), Operations, Security, and Technology — draw banking professionals from all around the state of Wisconsin for education and networking. The 2021 WBA Secur-I.T. & BSA/AML Conference will be held September 21–22 at the Kalahari Resort and Convention Center in Wisconsin Dells.

Attendees will benefit from over seven hours of presentations from general session topics to breakout sessions by nationally recognized speakers and local professionals; networking with more than 125 banking peers; and meeting several exhibitors who offer products and services geared to help banks with customer experiences, BSA/AML programs, security, and technology.

The conference will kick off with a discussion on virtual currency as that continues to emerge as a hot button conversation for BSA/OFAC risk. The first conference speaker, Robin Guthridge of Wipfli LLP, will discuss FinCEN and the U.S. Treasury advisories regarding the risk virtual currency transactions could present. The event will also explore monitoring and SAR-filing responsibilities relating to virtual currency transactions.

Terri Luttrell from Abrigo will be diving into a topic that is closer to home than many may think. Human trafficking is one of the fastest growing criminal activities in the world, exploiting over 45 million people and generating an estimated $150 billion in profits each year. Financial institutions have a critical role to play in identifying and disrupting human trafficking. This next session at the conference will discuss what financial institutions and BSA professionals can do to help identify, flag, and prevent human trafficking.

The conference will close out with Alex Weber, international speaker, American Ninja Warrior, and awardwinning performer for NBC. Weber’s contagious energy and strategic methods to transform audiences to achieve at their highest levels will certainly leave attendees feeling their best and excited to return to the bank post conference. Whether you are looking for BSA updates, high-tech discussions, peer networking or all of the above, you will want to make sure you are in attendance at this year’s Conference. We hope to see you there!

Encourage your customers to tell Congress not to let the IRS invade their privacy.

The Biden administration is advancing an overreaching proposal requiring financial institutions to report their customers’ deposit and withdrawal information to the IRS, regardless of their tax liability or consent. WBA, ABA, ICBA, and other state banking associations are opposed to this measure and this is a topic we have been discussing in meetings with our Congressional delegation.

ICBA’s landing page for this issue may be found here.

Please consider sending a message to your representative and senators, and encourage your customers to the do the same here.

According to analyst firm Gartner, extended detection and response (XDR) is a “SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”

You’ll hear plenty of the traditional vendors of antivirus begin to proclaim themselves as an endpoint detection and response (EDR) or XDR solution, trying to keep up with this more advanced tool space. As they continue to either buy up other vendors with the tool sets (then try to bolt them on to their traditional solution) or simply try to remake themselves in the model of an XDR solution in other ways, their final offering often has limitations. Typically, they’ll cover some but not all the areas of a complete XDR solution. They will address hosts and files but not network and users, or network and hosts but not files or users. They’ll miss some of that cohesive security operation defined by Gartner.

A recent article from HelpNetSecurity—a popular information security online publication—titled “XDR and MDR: What’s the Difference and Why Does It Matter?” made the following statement in closing: “An XDR solution without adequate human expertise/staffing behind it will only ever be a tool. With a managed services model in play, you’re getting both the comprehensive technology capabilities and the people required to make it work— which is why managed detection and response (MDR) may be the only acronym that your organization needs.”

This statement is very accurate for the less complete XDR offerings that do not include the managed and monitoring components in their solutions. They become like all the security information and event management (SIEM) and log management solutions that have been pushed at you for years, just becoming another tool that no one has expertise to manage or leverage the benefits that you bought it for. So, what do you have to do? One option is to buy the “managed services” from these tool vendors which can make banks dependent on them.

Another option is to research other solutions that are out there. In addition to Cynet, our Infosecurity consulting services suggest reviewing Gartner’s list of EDR solutions and offerings from WBA Associate Members when completing your due diligence. Complete solutions like Cynet360 include the backing of the Cynet CyOps team without needing to pay extra, bolt on more products, or go looking for the 24x7x365 expertise of another managed provider. This doesn’t mean that you can’t still depend on a managed services provider for another layer of monitoring and managing, but are they independent if they also are who you need to be monitoring? There’s nothing wrong with leveraging the additional layer you’ve come to depend on, but at what added cost to get the independence and expertise like that of a CyOps team that is already baked into the Cynet360 solution? You will still need to explain to your auditor and examiners that you’ve learned the tool adequately enough to understand and generate independent reporting of the activities of the managed third party.

At least when you are answering that questionnaire for your cyber insurance coverage, you’ll be able to check off ‘Yes’ on several questions because you implemented a powerful, more advanced endpoint protection solution.

Shaurette is FIPCO director infoSecurity and audit. Contact him at kshaurette@fipco.com or 608-441-1251.

By, Alex Paniagua

Cyberattacks on bank data, including ransomware incursions that can deny a financial institution access to its own digital information, are an increasing operational risk, an industry regulator and cybersecurity experts warn. 

While most have adapted to employees working remotely during the COVID-19 pandemic, banks need to be especially mindful as hackers more aggressively attempt to break into computer systems from various points of entry, they say. 

“Banks should remain vigilant concerning cybersecurity control and risk management practices as banks face continuous threats from cyber actors,” the Office of the Comptroller of the Currency stated in its autumn Semiannual Risk Perspective. “These actors have become less inhibited and more sophisticated with their knowledge of the financial institution operations and vulnerabilities in bank applications or systems.” 

In addition to exploiting system susceptibilities, cyber crooks are using exploitation methods like phishing emails and credential theft to compromise bank systems, and examiners continue to identify concerns with bank information technology security, the OCC said. 

The pandemic has made the situation worse. 

“Cyber criminals prey on fear and urgency and general mass concern. So the coronavirus, this global pandemic that we’re dealing with, really is the sweet spot for those folks – particularly in sending out mass phishing email scams,” said Jon Waldman, co-founder of SBS CyberSecurity, a Madison, South Dakota firm that works with many financial institutions. “One out of every three phishing scams today are COVID related.” 

Waldman said that during the March-through-April stretch when coronavirus fears initially peaked, there was a 667% rise in phishing emails in the U.S. 

Phishing – a technique in which a cyber thief sends emails in the hope of duping an unsuspecting victim into turning over private information like email or system passwords – often is the easiest route for busting into a data system. 

Rather than use a highly skilled hacker to try to break through a company’s firewall, organizations can send authentic-looking phishing emails that trick the recipient into clicking on a link that opens the door to a data takeover. 

“The weakest link is the person who hasn’t been informed well enough or trained well enough or educated well enough that you don’t click on links that were not expected,” said Ken Shaurette, director of info security and audit for the Madison-based bank services firm FIPCO. “I’ve seen some extremely crafty ones. They will even fool the experts when they’re well done. And one time is all it takes.” 

In one common ruse, a hacker infiltrates actual email accounts from a title company or real estate brokerage. The crooks might then send, for instance, an email to a homebuyer who is getting ready to close on a mortgage, telling him or her the location where funds should be wired has just changed. 

“It’s coming with an actual email address. You — as a homebuyer — how do you know that wasn’t legitimate?” Shaurette said. 

In its report, the OCC warned that the financial sector continues to see an increase in ransomware attacks with cyber actors using phishing emails as the main attack method. 

In a ransomware attack, the cyber crook finds a way into a company’s system and then encrypts important data and demands money, typically via Bitcoin, to provide a key that unlocks it.  

“Recently, cyber actors have elevated their tactics to not only target and encrypt bank data while compelling payment but also threaten to auction or publish customer information on the dark web,” the OCC said. 

Banks should have a clear understanding of the impact of a ransomware attack and the potential effects on the banks’ customers and third parties, the OCC said. Dealing with breaches often comes at great cost – both financial and to customer relations.  

“Given the nature of what they do, if banks can’t recover because they don’t have appropriate backup or secured backup systems in place, they are likely looking at a scenario of ‘Well, how do we get our data back?’ and that could include paying the ransom,” said Tom Wojcinski, a director in the risk advisory services practice of the Milwaukee-based accounting and consulting firm Wipfli. 

Although authorities say companies never should pay the ransom to regain access to their data, some do. 

“If nobody paid the ransom the market would evaporate and it would stop being a thing,” Wojcinski said. “But people are paying the ransom, so the cyber criminals are continuing to drive innovation of their ransomware. It’s getting better, it’s getting faster, it’s getting harder to detect.” 

Waldman said that when a ransomware group or an attacker gets into a network, they often go 40 to 60 days – and even up to 200 days – without being detected. 

“Which gives the bad guy a lot of time to steal information and then use that as leverage in order to force an additional ransomware payment,” Waldman said. “If you have that kind of leverage, that also means you can ask for more money, and if the company doesn’t pay the ransom, then they threaten to post the data.” 

What is a typical ransom demand to a business? 

“Probably at the beginning of 2019 the average was $30,000 to $50,000, and today it’s over $200,000 on average,” Waldman said. “If you’re a bigger company, then it’s usually seven figures.” 

Given the immense hassle and cost of dealing with a ransomware takeover – and many other types of cyber intrusion – prevention and detection are crucial. 

Experts say companies need to be especially wary during a time when more employees are working remotely instead of in a building where data systems are assumed secure. 

“It’s taking employees that were once on a ‘trusted’ system in their office and potentially moving them out to a personal computer that now has not had the same kinds of controls applied to it,” Shaurette said.  

Said Waldman: “Those folks that are working from home are still working with customer information on behalf of the bank, and there’s a big potential exposure there if they would click on a phishing email or get ransomware that goes back to the financial institutions. The big message is: make sure that you use these next few months to plan around securing your work-from-home folks.” 

What are some ways a bank can protect itself against cyber crooks? 

Use multiple data backups. Waldman stressed backing up data, not just with a cloud backup, but also by keeping a copy offline and not connected to the network – safely away from the clutches of criminals. 

“In almost every case that we’ve worked from a digital forensic incident response perspective, any time an organization has had to pay the ransom, it’s because they didn’t have good data backups,” Waldman said. 

Have a strong patch management system. Staying up to date on patches typically prevents many data breaches, Waldman said. 

Train employees to make sure they’re aware of threats. Wojcinski said banks need to “create a culture of security.” 

“When I say create a culture of security, I’m really thinking about how we need to instill professional skepticism in our end users,” Wojcinski said. “And we need people to really think twice to say, ‘Should I click this link? Should I process this wire transfer? Should I do this? Is that the right thing? Let’s ask for clarification.’” 

Use multi-factor authentication. Hackers can steal or buy email credentials. Having another way to make sure the people behind the account are who they say they are can head off trouble. 

Have strong passwords. “Passwords don’t need to be complex. They need to be long,” said Shaurette. “Passwords don’t need to be hieroglyphic. They need to be unique and they should be long – and by long, it should be 15 characters and plus. If I use three or four unrelated words, I’ve got a long password that nobody is likely to ever guess.” 

Use next-generation antivirus software. While traditional antivirus programs rely on a database of cyber threats, advanced antivirus software analyzes a file before it opens to see if it’s going to execute code in a way that appears to be malicious, Waldman said. 

Make sure your security system can quickly identify intruders. This will keep criminals from having extended time in a bank’s network and records, Waldman said. 

Even with preventive measures in place, “You still need to anticipate those will be circumvented or breached somehow,” said Wojcinski said.  

“We’ve got to have monitoring processes in place to identify suspicious network traffic as endpoint detection tools to look for anomalous processes running on workstations,” Wojcinski said. 

If banks build strong cybersecurity systems, compliance with regulators shouldn’t be an issue, Shaurette said. 

“If you’ve built based on strong industry standards and continue to mature it – it’s a journey, not a destination – you will be compliant to any regulation that ever comes along,” he said. 

FIPCO is a WBA subsidiary and a WBA Gold Associate Member. 

SBS CyberSecurity is a WBA Bronze Associate Member.

Wipfli is a WBA Silver Associate Member. 

By, Alex Paniagua

To date, while some federal agencies have made public statements, Congress has not exercised its constitutional power under the commerce clause to regulate cryptocurrencies and blockchain technology to the exclusion of the states. This means that the states remain free to enforce their own legislation. Sixteen states have enacted legislation related to virtual currency or cryptocurrencies and nine states have enacted or adopted laws that reference blockchain technology. 

To help assist lawmakers (and the general public), the State of Wisconsin Legislative Reference Bureau (LRB) created a summary that highlights the responses of major economic players as well as innovative practices on cryptocurrency and blockchain technologies. The report is designed to help gain a broad perspective of the current global regulatory market and the breadth of proposals for further policy and legislative guidance. Cryptocurrency, a subset of digital currency, is held up by some as the "currency of the future," and the technology that allows its existence could revolutionize business and government. 

As cryptocurrency becomes more mainstream, governments around the world have taken the first steps toward regulation; however, advances in technology frequently outpace legislation. The LRB report describes the principal characteristics of cryptocurrencies and the underlying technology that enables its existence-decentralized, distributed ledgers based on blockchains. The report then details recent developments in regulations in the United States by various federal regulatory and enforcement agencies and the most relevant case law. Finally, the report explores developments at the state level and summarizes the global regulatory landscape of international responses to the regulation of cryptocurrency. 

How Blockchains Work: A Sample Case Study

  1. Charlotte and Susie download digital wallets, providing the encryption keys necessary for the transaction. 
  2. Charlotte creates a message requesting a $15 transaction to repay Susie for dinner. The message is encrypted using Susie's public key, ensuring that only Susie can decrypt the message using her private key. The message also includes Charlotte's private key to validate her status as the initiating entity.
  3. The message is broadcast to a peer-to-peer (P2P) network consisting of private computers, or nodes. 
  4. The network validates the transaction and Charlotte's user status, then records and time-stamps it to verify that the cryptocurrency has changed possession. 
  5. The transaction is combined with other transactions to create a new block of data for the ledger.
  6. The new block of data is added to the existing blockchain in a way that is permanent and unalterable.

If you'd like to read the full LRB report please visit www.banconomics.com.

By, Amber Seitz

The Wisconsin Bankers Association offers for your use the following consumer education column. Your bank is free to use this as a community column in your local newspaper, a letter to the editor, a press release or in any other way you see fit. The purpose is to give our members an easy-to-use tool for promoting the banking industry to Wisconsin's communities.

Identity theft is on the top of many consumers' minds these days, with new data breaches announced seemingly weekly. As masses of Americans turn to credit monitoring, fraud alerts, and other solutions to prevent their identities from being stolen, one group sometimes slips through the cracks: children. Parents: don't forget that your child has a social security number, so their identity could be stolen and used to take out fraudulent loans that could damage their ability to buy a car, get student loans, rent an apartment, or even get a job in the future. Below are some steps to consider to help protect your children from ID theft: 

Watch for red flags.
First, keep an eye out for common signs that your child's identity has been used to obtain credit. These include an influx of mailed credit card and/or loan offers addressed to your child, a notice from the IRS that your child didn't pay income tax or was claimed as a dependent, and collections calls for bills addressed to your child. When your child gets older, being denied a bank account, driver's license, or government benefits (such as Medicaid) are also indications that their identity may have been stolen. 

Check your child's credit report.
The next step to take is similar to what you would do to protect your own identity: check their credit report. It's a bit more complex when the credit report you're requesting is your child's (versus your own), but it is an important step. Contact the major credit bureaus (Equifax, Experian, and TransUnion) to find out the specific documentation they require. You'll likely need to mail in copies of your child's birth certificate and/or their Social Security card, as well as a copy of your own ID. Keep in mind that your child may not have a credit report-and that's a good thing! It means your child's identity has not been used by criminals to obtain credit in their name. 

Consider a credit freeze.
If you find that your child has a credit report, consider placing a freeze on it. This is especially important to consider if your child's identity has been stolen, since it will help prevent future instances of their information being used to obtain credit. Wisconsin's Child Credit Protection Act allows parents and legal guardians to place a freeze on their child's credit record. By freezing their credit with each of the major credit bureaus, you will prevent criminals from taking out credit using your child's identity. Each credit bureau has a different process for freezing credit, so contact them to find out the steps if you are interest in a credit freeze for your child(ren). Keep in mind, the bureaus charge a fee to freeze and unfreeze credit, so you'll want to consider how close your child is to legitimate credit requests (such as student loans or a first credit card) before taking this step. 

If you suspect your child's identity has been stolen, visit www.identitytheft.gov for step-by-step guidance on what to do next. 

An archive of Consumer Columns is available online at www.wisbank.com/ConsumerColumns.

By, Amber Seitz

Events

One of the most critical aspects of any Information Security Program is communication and sharing information. This is especially true with Executives and Board of Directors, who need to be educated and informed on all aspects of information security so they can ask better questions and make appropriate decisions. If the top level of the organization better understand the risks and the impact potential, it will help build a stronger information security culture throughout the organization.

So what do you need to report upstream to help the Board and Executives understand your ISP and risk? Let’s dive in. This presentation will cover the following areas/topics:

  • Regulatory requirements for reporting ISP info upstream
  • A framework for asking better questions
  • What is most important to report upstream?
  • How often should you report upstream?
  • Setting a culture of security starts at the top

Target Audience: Information security officer, IT manager, risk officer, internal auditor, CIO

Presenter: SBS CyberSecurity, LLC

Registration Option: Live presentation $330

Recording available through January 14, 2023

BACK AGAIN IN 2022: The 2022 Secur-I.T. Conference is now combined with the annual BSA/AML Conference!

The 2022 WBA Secur-I.T. & BSA/AML Conference will be held on September 20-21 at Glacier Canyon Lodge in Wisconsin Dells. The conference will kick off at 8:30 a.m. on Tuesday and adjourn at Noon on Wednesday.

This annual meeting brings together BSA/AML, Operations, Security and Technology banking professionals from all around the state of Wisconsin for education and networking. Attendees will benefit from over 7 hours of presentations from nationally recognized speakers and local professionals; network with more than 125 banking peers; and meet several exhibitors who offer products and services geared to better your bank’s customer experiences, BSA/AML program, security, and technology. You won’t want to miss this great event!

Registration Information

Banker Registration:

The registration fee of $350/attendee includes conference materials, Tuesday refreshments, lunch and reception; and Wednesday breakfast and refreshments. If your bank brings multiple attendees, each person after the first registrant is $300/attendee.

To receive the published discount, you must register everyone at the same time.

Associate Member Registration: 

The registration fee of $450/attendee includes conference materials, Tuesday refreshments, lunch and reception; and Wednesday breakfast and refreshments.

Refund Policy: A refund, less a $25 administrative fee, is provided for cancellations requested on or before Thursday, September 15, 2022.

Exhibitor Registration:

Exhibit Booths are available for $650 for Associate Members and $1,150 for non-Associate Members. Exhibit booth registrations include one attendee. Additional booth attendees can be registered for $250/attendee. Visit the Information for Exhibitors/Sponsors tab for more information.

When it comes to information and cyber security the responsibility falls at several levels including the board of directors and senior management. The board is to set the tone, provide governance, approve information security policies, and designate an ISO. Senior management is to ensure the information security program is developed and maintained. The ISO; however, is responsible for overseeing and reporting on the management and mitigation of information and cyber security risks across the institution and is to be held accountable for the results of the oversight and reporting. The ISO is also responsible for seeing that the information/cyber security program is implemented and satisfies the regulatory Interagency Guidelines for Establishing Information Security Standards (GLBA). While once thought to be a technology function the role was typically delegated to the IT manager or officer but today the ISO is to be independent of IT operations and report directly to the board, board committee, or senior management. In fact, the independence of the ISO is stated in not just one of the FFIEC IT Examination Booklets but two. The September 2016 Information Security Booklet states “to ensure appropriate segregation of duties, the ISO should be independent of IT operations staff and should not report to IT operations management.” The November 2015 Management Booklet states “the ISO should be an enterprise-wide risk management rather than a production resource devoted to IT operations.”

What You Will Learn

  • Regulatory expectations
  • Role of the ISO
  • Typical Job Description
  • Independence Mitigation Suggestions
  • ISO

Who Should Attend
Board, Senior Management, Auditors, IT Management, ISO, Risk Officers, IT Committee.

Presenter
Susan Orr is a leading financial services expert with vast regulatory, risk management, and security best practice knowledge and expertise.

As an auditor and consultant, Orr is dedicated to assisting financial institutions in implementing appropriate policies and controls to protect confidential information and comply with regulatory mandates and best practices. Her expertise as an auditor and former examiner provides her the knowledge and expertise to conduct comprehensive IT general control and data security reviews and assist de novo institutions in the vendor selection process, preparing policies and procedures, and instituting controls. She also consults for numerous security providers and vendors helping them align products and services to meet institution regulatory mandates. Susan is a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), and Certified Risk Professional (CRP).

Registration Options
Live Access, 30 Days OnDemand Playback, Presenter Materials and Handouts $279

Available Upgrades:

  • 12 Months OnDemand Playback + $110
  • 12 Months OnDemand Playback + CD + $140
  • Additional Live Access + $75 per person

In recent years, financial institutions have seen a significant amount of new guidance on third party risk management and new terms coined such as Fourth Party Management. FFIEC Cybersecurity Assessments Tool (CAT) encourages financial institutions to expand questioning around third party risk management practices and suggests more rigorous oversight. The FFIEC coined the term “External Dependencies” in CAT guidance. This expands requirements beyond vendors to include any third-party relationship, including customers. Regulators also suggest that the FFIEC CAT can be leveraged against Third Parties; not just financial institutions. In addition to the FFIEC, the OCC has issued additional guidance for examiners when reviewing third party management programs.

We will explore best practices for Vendor Management, Third Party Risk Management, Fourth Party Management, and Customer Risk Management.

Covered Topics

  • Overview of industry breaches
  • New regulatory expectations
  • Risk Management practices for selecting new products/services
  • Risk Management of existing relationships
  • Third Party and Fourth Party Management concepts
  • SOC 2 Reports and how to get value
  • Integration of customers into management program
  • Lessons learned from failed management programs

Who Should Attend
Information Security Officer, IT Manager, Risk Officer, Internal Auditor, CFO, and Executives looking to understand the risk around Third Party Management.

Instructor Bio
Cody Delzer, CISA, is a VP Information Security Consultant for SBS CyberSecurity, LLC of Madison, SD who has a Bachelor of Science Degree in Computer and Network Security from Dakota State University and 9 years? experience in IT and IT Security; 2 years in Systems Operations and 7 years in Information Assurance. Cody has worked with over 200 Financial Institutions and other private industry organizations across the United States.

Registration Options
Live Access, 30 Days OnDemand Playback, Presenter Materials and Handouts $279

Available Upgrades:

  • 12 Months OnDemand Playback + $110
  • 12 Months OnDemand Playback + CD + $140
  • Additional Live Access + $75 per person

Topics in analyzing source documents, recording business transactions in a journal and posting entries in a ledger. How to prepare a trial balance, gather adjustment data and complete a worksheet are covered, as well as how to prepare financial statements and post-closing entries.

This course is the recommended prerequisite for Analyzing Financial Statements.

Audience: Bank personnel at any level with little or no accounting background

The required textbook for this course is College Accounting, 13th Edition.

IMPORTANT:  Be sure to order the required book for this course.  We recommend that you FIRST select and add your course session to the shopping cart, then select your preferred format of book from the “Recommended Training” options that appear alongside the shopping cart

Price: $471

Topics in analyzing source documents, recording business transactions in a journal and posting entries in a ledger. How to prepare a trial balance, gather adjustment data and complete a worksheet are covered, as well as how to prepare financial statements and post-closing entries.

This course is the recommended prerequisite for Analyzing Financial Statements.

Audience: Bank personnel at any level with little or no accounting background

The required textbook for this course is College Accounting, 13th Edition.

IMPORTANT:  Be sure to order the required book for this course.  We recommend that you FIRST select and add your course session to the shopping cart, then select your preferred format of book from the “Recommended Training” options that appear alongside the shopping cart

Price: $471

Topics in analyzing source documents, recording business transactions in a journal and posting entries in a ledger. How to prepare a trial balance, gather adjustment data and complete a worksheet are covered, as well as how to prepare financial statements and post-closing entries.

This course is the recommended prerequisite for Analyzing Financial Statements.

The required textbook for this course is College Accounting, 13th Edition.

IMPORTANT:  Be sure to order the required book for this course.  We recommend that you FIRST select and add your course session to the shopping cart, then select your preferred format of book from the “Recommended Training” options that appear alongside the shopping cart.

Price: $471

It seems like fraudsters are always one step ahead. The battle against sophisticated social engineering attacks continues. Are you keeping up? Join us to learn the latest schemes and defenses.

AFTER THIS WEBINAR YOU’LL BE ABLE TO:
• Identify social engineering exploits that may be successful at your institution
• Understand how attackers are using multiple forms of social engineering to gather information throughout your institution
• Detect suspicious calls that may have been overlooked
• Determine areas that may be susceptible to onsite social engineering exploits
• Take steps to protect against complex threats

WEBINAR DETAILS
The previous year saw social engineering attacks increase in both volume and sophistication. The perpetrators of social engineering (SE) attacks are smart, motivated, and persistent. Phishing emails are by far the predominant SE security breach, but the last year also saw deepfakes (a type of artificial intelligence) being used to create convincing images, audio, and video hoaxes. By using artificial, enhanced voice simulation, fraudsters stole $35 million from a bank in the United Arab Emirates. COVID-19 has forced many institutions to close lobbies for extended periods of time and this has contributed to an uptick in successful onsite SE exploits. A combination of multiple types of SE attacks spread over time has contributed to an increase in SE-related losses. Join this insightful webinar to learn how to confront these threats.

WHO SHOULD ATTEND?
This session is designed for chief information security officers, senior management, call center personnel, operations staff, and anyone responsible for securing accountholder information.

TAKE-AWAY TOOLKIT
• List of the most common social engineering test failures
• Checklist of defensive measures to limit social-engineering attack effectiveness
• Questions to ask your IT auditor to scope effective social engineering testing
• PDF of slides and speaker’s contact info for follow-up questions
• Attendance certificate provided to self-report CE credits
• Employee training log
• Interactive quiz

NOTE: All materials are subject to copyright. Transmission, retransmission, or republishing of any webinar to other institutions or those not employed by your agency is prohibited. Print materials may be copied for eligible participants only.

MEET THE PRESENTER — John Moeller, CLA
John Moeller is a principal at CLA in the IT & Cyber Security Services Group. For over 30 years, Moeller has served the technology needs of financial institutions across the country. His experience includes strategic technology planning, technology and vulnerability/risk assessments, controls reviews, information security and business continuity program development, and board of director training.

Moeller is a frequent speaker on information security, IT assessments and strategy, CIO outsourcing, and managed IT services. He holds several professional certifications, including Certified Information Systems Security Professional, Certified Ethical Hacker, and EC Council – Certified Security Analyst. He received a bachelor’s in Information Technology from Capella University.

REGISTRATION OPTIONS

  • $245 – Live Webinar Access
  • $245 – OnDemand Access + Digital Download
  • $320 – Both Live & On-Demand Access + Digital Download

Cybersecurity threats continue to rapidly evolve in sophistication and are occurring with increased frequency. Daily, we hear news about new data breach, dangerous strain of malware, innovative hacking schemes, and targeted efforts of organized crime groups. In fact, cybersecurity news has become so pervasive that it’s not even shocking news to most people anymore. This session will provide detailed information on how to prevent the latest information security threats or ways to mitigate the latest vulnerabilities.

The discussion will include:

  • Network compromises and data breaches
  • ATM Jackpotting and unlimited operations
  • New internet-based vulnerabilities
  • Commercial account takeover
  • Business email compromise
  • Standards for protecting information systems (NIST, SANS, ISO)
  • Advanced controls to mitigate risk (DLP, SIEM, App Whitelisting, Next Gen Firewalls, Network Segregation, Incident Response, Continual Monitoring, Forensics)
  • How to tie standards and controls to the IT Risk Assessment and IT Audit Program

Target Audience:  Information security officer, IT manager, risk officer, internal auditor, CIO, and executives looking to better understand cybersecurity risks.

Presenter
SBS CyberSecurity, LLC

Registration Option
Live presentation $330

Recording available through July 22, 2022

The thing about Incident Response, just like Business Continuity (and insurance), is that we all hope the scenarios we know can happen never actually occur. However, the point of planning is to anticipate the bad things happening and have a plan to deal with those incidents, should they occur.

While can be difficult to document a response for Incident Response scenarios that have never occurred, building out step-by-step scenarios into an Incident Response Playbook might just save your organization time, money, resources, or even the business itself is something bad does happen. How do you create your own Incident Response Playbook?

This presentation will cover the following areas/topics:

  • Regulatory requirements of an Incident Response Plan (IRP)
  • Components of a valuable IRP
  • Threat Assessments
  • What is an Incident Response Playbook?
  • Testing Your Incident Response Playbook
  • Using Your Playbook to improve your IRP

Target Audience: Information security officer, IT manager, risk officer, internal auditor, CIO.

Presenter
SBS CyberSecurity, LLC

Registration Options
Live presentation $330

Recording available through September, 3 2022