Thank You, Ken Shaurette, for 13 Years at FIPCO!
By Hannah Flanders
On December 31, 2021 Ken Shaurette retired from FIPCO’s Information Security and Audit Services after 13 years with the company. Shaurette launched his IT career in 1976 after completing his associates degree in data processing. Over the past two decades, he has also garnered a collection of training courses through venders and trade schools as well as certifications by the National Security Agency (NSA) in Information Assessment Methodology. In 2008, Shaurette was hired at FIPCO to build the Information Security and Audit Service from the ground up as its director.
Shaurette shared reflections on how the industry has changed over his decades of experience. When his career began, data was stored centrally in large computer data centers. Slowly, the industry began to give more processing power and ability to manipulate data to users and as the data became increasingly decentralized, security professionals had to establish improved policies and information security programs that addressed data no longer being stored in a big computer center, but out at the desktops anywhere in the company.
As data collection and storage abilities improved, not only did it become more difficult for all the information to be properly secured, it became increasingly important. Regulations have been created today in order to meet the expectation that customer data is equally protected no matter the size of the bank. “Information security [must continue to be] part of our individual and our companies DNA” says Shaurette. “Without security controls, your business can’t grow quickly.”
Shaurette’s perspective has allowed him to help banks throughout Wisconsin protect themselves against serious attacks that could in turn affect growth, reliability, and profits. Shaurette notes that “when it comes to information security 80% is the same regardless of [the] industry when securing the data, 15% is unique to the [banking] industry, and probably 5% is the social atmosphere of [each bank].”
“Over the course of the years, his expertise and service have been greatly appreciated and well-respected by our customers and members,” says Pam Kelly, president of FIPCO. “His passion and unfailing dedication to information security and our members has helped hundreds of bankers keep critical data secure, avoid attackers, and meet the needs of their own communities. Thank you, Ken, for 13 years!”
In his retirement, Shaurette looks forward to spending time with his grandchildren, volunteering, and — he jokes — not writing audit reports. However, he leaves FIPCO customers with one last message in appreciation over that last 13 years, “I may be boating off into the sunset, but the sunrise of a new generation is transitioning behind me, and you will be left in very good hands with Rob Foxx. I’ll be waiting for you to show up for an information security peer group meeting or networking round table on the pontoon boat someday soon. Those that know me, the refreshments are always ready.”
FIPCO partners with interface.ai
In this current world, customer connection comes at a premium. The pandemic changed many things and shifted customer behavior. Now customers who may have previously stopped by a branch to ask a question are seeking service through phone more and more. How can financial institutions manage the ever-increasing number of calls while still providing high-quality service?
FIPCO is proud to announce a new partnership with interface.ai. interface.ai’s artificial intelligence (AI)-Powered Phone Banking solves many of the problems faced by traditional call center, elevating the entire call center experience. The AI-Powered Phone Banking automates more than 60% of the financial institution’s call center calls using the industry’s first neural voice-powered AI assistant.
“We are thrilled to be able to partner with interface.ai to offer this world-class product to our customers,” said Pam Kelly, president of FIPCO. “We understand the need for effective service for everyone who calls an institution, while making sure call center staff are not overwhelmed and customers aren’t stuck waiting for help in a queue.”
The AI-Powered Phone Banking reduces call wait times, while increasing productivity and engagement. FIPCO and interface.ai will be hosting informational webinars on November 9 and 16 to demonstrate to capabilities of this solution.
To learn more about this solution and the upcoming demos, contact FIPCO Sales at email@example.com or 1-800-722-3498, option 5.
Upcoming Informational Webinars:
Date: November 9, 2021
Time: 12:30 PM – 1:30 PM CT
Date: November 16, 2021
Time: 11:30 AM – 12:30 PM CT
By Cassandra Krause
With a recent uptick in activity, ransomware attacks are a form of cyberattack that has been prevalent in recent news — and for good reason. The effects can be detrimental in terms of monetary loss and reputational damage to the victim. Ransomware is a type of malicious software (a.k.a. malware) that usually encrypts a victim’s files, and the bad actors have upped their game to steal the data first, then threaten to also publish the data to the public. Criminals set their sights on businesses with the goal of extorting money, making community banks prime targets.
Organized crime networks are becoming increasingly sophisticated. In general, the risk of getting caught for cybercrimes is much lower than for traditional crimes like robbery, and the financial gains are far higher. Ransomware developers write and sell the software to other bad actors for a cut of the profits when they deploy it and collect ransom payment, usually in the form of cryptocurrency, which is hard to trace. Compromised data may also be used to open fraudulent lines of credit.
“The U.S. is in a ransomware crisis right now,” said Jeff Otteson, vice president of sales at Midwest Bankers Insurance Services (MBIS), a subsidiary of the Wisconsin Bankers Association. He explained that it has created a hard insurance market with carriers tightening up on internal control requirements such as multifactor authentication (MFA) for privileged users (users with the ability to install software or change security settings on critical systems) and encryption of backups.
In their 2021 Cost of a Data Breach Report, IBM Security and the Ponemon Institute calculate that the average total cost of a data breach is $4.24 million, a 10% increase from 2020–2021. The per-record cost of personally identifiable information averaged $180.
With the incredibly high stakes in mind, banks are dedicating significant resources to preventing malicious cyberactivity, both in terms of staff and money. Respondents to a 2020 Deloitte survey of financial institutions reported spending about 10.9% of their IT budget on cybersecurity on average, up from 10.1% in 2019. In terms of spending per employee, respondents spent about $2,700 on average per full-time employee (FTE) on cybersecurity in 2020, up from about $2,300 the prior year.
“There is an industry-standard framework for ransomware prevention and all cybersecurity,” explained FIPCO’s Director InfoSec and Audit Ken Shaurette. FIPCO is also a WBA subsidiary. A good consultant will walk the bank through a comprehensive review of their network security, improving endpoint protection to replace traditional antivirus and endpoint detection solutions, including adding authentication improvements such as MFA, improved password strength, and protecting backups. As more and more of the digital tools that bankers utilize require users to download and install software and updates, depending on signature-based solutions for malware detection is not acceptable — it has become critical to safeguard user, file, network, and device-level activities.
A bad actor gaining access to a bank’s data may encrypt the data and demand payment in exchange for granting access back to the bank. In this situation, having a data backup is essential.
“The rule of thumb for data backups is 3-2-1,” said FIPCO Information Security and IT Audit Advisor Rob Foxx. “There should be three copies of all data stored on two different mediums. One of the copies should be stored off site.”
Ransomware prevention is only one part of a complete cybersecurity system. Experts agree that early detection of unusual activity within a system can help keep a minor incident from quickly escalating into a major incident like a ransomware threat.
“Ransomware isn’t the first attack,” said Wolf & Company, P.C. Manager of the I.T. Assurance Group Sean Goodwin, who recently presented at WBA’s Secur-I.T. Conference. “Ultimately, it’s on I.T. to put controls in place because an employee will inevitably fall for a phishing email. It becomes a question of whether we can catch that quickly.”
Social engineering remains the greatest concern; it’s easier for bad actors to trick an employee rather than break through a firewall. Verizon’s 2021 Data Breach Investigations Report found that almost half of the breaches in the financial services industry involved internal actors committing various types of errors. The report stated that the financial sector frequently faces credential and ransomware attacks from external actors, 96% of which are financially motivated (followed by small percentages of motives of espionage, grudge, fun, and ideology).
Goodwin emphasized that I.T. must be able to act quickly when there’s an indication that someone is accessing something they don’t normally access. “Prevention is ideal. If we can prevent it, that’s best-case scenario, but if not, early detection becomes critical,” he said. This area of solution, known as endpoint detection and response, is rapidly becoming a key point of protection from ransomware and all other malicious events.
Establishing an incident response program within a bank is an important part of the overall cybersecurity program.
Creating a culture of cybersecurity awareness throughout the bank is important, so that bank employees are prepared for an incident. Employee training on what to do in the event of an attack should be standard practice. Making security part of the organization’s DNA is a best practice.
“Every bank needs an incident response plan, and that needs to be approved all the way up through the board. Part of this plan is notification of incidents to the insurance carrier,” said MBIS’s Otteson.
FIPCO’s Foxx emphasized that the roles and responsibilities in the incident response plan must be clearly defined, and banks should revisit their plan regularly.
“As the insurance agent, I’m the first call a bank makes when there’s an incident,” said Otteson. “It’s important that banks choose to work with an agency that understands cyber insurance.”
MBIS insures about 220 banks and has access to a large number of carriers that provide the right coverage for their customers. Otteson recommends reporting all incidents as even a minor incident could result in a claim down the line and having reported that incident when it occurred is key to a successful claim. He says to keep in mind that the owner of the data is liable for it whether the incident occurred in house or with a vendor the bank shared customer data with.
It’s important to work with the insurance carrier to ensure that all the bases are covered and that the vendors who participate in the response are approved. Not using the cyber insurance carrier’s approved vendors may result in expenses not being covered under the insurance policy. In the event of a ransomware attack, the insurance agent or bank will immediately notify the insurance carrier. Beazley, a carrier partner of MBIS, maintains a 24/7 helpline, which has become common with other carriers as well. Knowing how to report incidents, when to report, and what to expect is key.
Holidays and weekends are prime times for ransomware attacks: employees who are in a rush to leave may be more likely to click on a bad link, and with employees away from work, it’s easier for the bad actors to get into the network. Even if a problem is detected, it’s more likely that staff who could help put a stop to the attack may be on vacation or unavailable, buying the criminals more time to take over.
As soon as a cyber liability claim is made, the insurance carrier’s pre-approved vendors come into play.
“Nobody has the resources in house to effectively manage ransomware attacks,” said Foxx, who has experience working both within a bank and as an external auditor and consultant. The specialization of skills and the amount of people needed to perform adequate analysis and remediation are so significant that even large banks will not have all the players they need on staff.
If a bank’s data becomes encrypted and made inaccessible, a vendor such as Tetra Defense would be engaged on forensics. Managed endpoint detection and response vendors such as Cynet can help from detection and prevention to response, including providing digital evidence for a vendor performing forensics. Meanwhile, a vendor such as Coveware would handle ransom negotiations with the criminals. Wolf & Company, P.C.’s Goodwin said that you don’t really know who’s on the other side of the transaction — some criminals may be willing to negotiate and others not. He referred to ransomware as a “niche space in cybersecurity that is now getting more attention.” The criminal organizations involved in these types of attacks in some ways act like a legitimate business in that they rely on their reputation and may even have customer service departments — if they fail, it will hurt their chances of getting more business in the future.
Typically, in the event of a ransomware attack, a legal firm will handle communications and PR for the bank — putting a statement on the bank’s website, assisting staff with customer phone calls, and determining whom to notify. Getting legal involved early protects all communications and discovery with attorney-client privilege. The requirements for notification vary from state to state, and a bank may have customers in multiple states or even other countries, making the expertise of a legal team invaluable. The language used in communications matters, as the term “breach,” for example, can have different legal implications and potentially create larger issues than terms like “incident,” “situation,” or “event.” Education of staff far in advance using regular testing of the plan is a key factor in mitigating an incident. Inappropriate statements made by employees on social media or even at informal social gatherings can have severe ramifications for the bank.
While anyone who experiences a ransomware attack may be eager to breathe a sigh of relief and move on when it is over, it is essential to review the incident and revise the bank’s incidence response plan. Assessing what went well and what needs to be improved are critical steps.
Goodwin also warns that victims of ransomware are commonly re-targeted. A Cybereason study found that 80% of organizations that previously paid ransom demands confirmed they were exposed to a second attack. He said that once a company has paid a ransom it is known that (1) you were compromised, (2) you do not have proper backups of your files, and (3) you were willing to pay.
Cyberattacks are the biggest risk to a financial institution — even surpassing the risk of past-due loans. The cost of a ransomware attack can be astronomical, with many factors contributing to the price tag, including vendor fees and staff hours to resolve the issue; the cost to inform customers and offer identity or other protections; the loss of destructed data; and the down time of the business. All of this, followed by the loss of customers’ trust (and subsequent loss of their business), has the potential to put a community bank out of business.
There are safeguards banks can put in place, including a sound incident response plan, improved monitoring with better endpoint detection and response, cyber liability coverage, and employee education. FIPCO, MBIS, and a wide range of WBA Associate Members are ready to support banks in keeping their data and that of their customers safe.
According to analyst firm Gartner, extended detection and response (XDR) is a “SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”
You’ll hear plenty of the traditional vendors of antivirus begin to proclaim themselves as an endpoint detection and response (EDR) or XDR solution, trying to keep up with this more advanced tool space. As they continue to either buy up other vendors with the tool sets (then try to bolt them on to their traditional solution) or simply try to remake themselves in the model of an XDR solution in other ways, their final offering often has limitations. Typically, they’ll cover some but not all the areas of a complete XDR solution. They will address hosts and files but not network and users, or network and hosts but not files or users. They’ll miss some of that cohesive security operation defined by Gartner.
A recent article from HelpNetSecurity—a popular information security online publication—titled “XDR and MDR: What’s the Difference and Why Does It Matter?” made the following statement in closing: “An XDR solution without adequate human expertise/staffing behind it will only ever be a tool. With a managed services model in play, you’re getting both the comprehensive technology capabilities and the people required to make it work— which is why managed detection and response (MDR) may be the only acronym that your organization needs.”
This statement is very accurate for the less complete XDR offerings that do not include the managed and monitoring components in their solutions. They become like all the security information and event management (SIEM) and log management solutions that have been pushed at you for years, just becoming another tool that no one has expertise to manage or leverage the benefits that you bought it for. So, what do you have to do? One option is to buy the “managed services” from these tool vendors which can make banks dependent on them.
Another option is to research other solutions that are out there. In addition to Cynet, our Infosecurity consulting services suggest reviewing Gartner’s list of EDR solutions and offerings from WBA Associate Members when completing your due diligence. Complete solutions like Cynet360 include the backing of the Cynet CyOps team without needing to pay extra, bolt on more products, or go looking for the 24x7x365 expertise of another managed provider. This doesn’t mean that you can’t still depend on a managed services provider for another layer of monitoring and managing, but are they independent if they also are who you need to be monitoring? There’s nothing wrong with leveraging the additional layer you’ve come to depend on, but at what added cost to get the independence and expertise like that of a CyOps team that is already baked into the Cynet360 solution? You will still need to explain to your auditor and examiners that you’ve learned the tool adequately enough to understand and generate independent reporting of the activities of the managed third party.
At least when you are answering that questionnaire for your cyber insurance coverage, you’ll be able to check off ‘Yes’ on several questions because you implemented a powerful, more advanced endpoint protection solution.
Shaurette is FIPCO director infoSecurity and audit. Contact him at firstname.lastname@example.org or 608-441-1251.
By, Alex Paniagua
If you have been following along from my previous article titled “Property Evaluations – A New Opportunity Under Old Regulations” (Wisconsin Banker, April 2021), you will come to understand that appraisal requirements continue to be a critical part of credit underwriting, but with limited staff knowledge and expertise. This article explores a different view of an old regulation.
It is true that appraisal thresholds were increased in 2019, but that did not really offer much in the way of relief. In fact, by moving the needle on larger transactions that still require an appraisal, the fewer appraisals that are required and the more complex those appraisals become. Much like the real estate evaluation process, what skills, training, and certifications do your staff possess to accomplish the regulatory requirement of appraisal review? It was stated in my last article and worth repeating again: “If a bank employee reviews appraisals, the individual should possess the requisite education, expertise, and competence to perform the review, commensurate with the complexity of the transaction, type of real property, and market.” (Federal Reserve Bank)
Over the years, examinations have focused on the reasonableness of the facts and assumptions found in the appraisal and whether review of an appraisal provides a credible opinion of the value of the collateral. This is true for both residential and commercial real estate. As I am performing review services for the industry, I become increasingly concerned when I see nothing more than a simple checklist completed by an internal banker with limited knowledge of appraisal requirements and expectation of USPAAP standards. But there is hope on the horizon.
I have found that those banks that appear to be more efficient in their mortgage and commercial loan process have one thing in common: they outsource the appraisal review to third parties who remain independent of the appraisal completion and then pass along this cost to the customer. In these instances, the review appraiser does not need to state a second value opinion, rather they simply express an opinion on the quality of the appraisal received. Partnering with the right appraisal review company will be key, but at the end of the day you inherently improve the quality of your appraisal review process. The operational savings these banks enjoy really do impact the bottom line.
However, for those banks that choose to continue to conduct this process internally, I encourage the opportunity to train your staff on May 20, 2021. The Wisconsin Bankers Association is hosting a webinar called Residential Appraisal Review Start to Finish. Bankers will learn the appraisal rules, anticipate examiner expectations, implement strong review process, and take away necessary tools to do their job. You can find registration information at www.wisbank.com/events. Hope to see you there!
If you would like to learn more about becoming efficient or compliant in your loan processes, you can reach me at email@example.com.
Schmid is FIPCO director – compliance and management services. Contact him at firstname.lastname@example.org or 608-441-1220.
By, Alex Paniagua
FIPCO is pleased to introduce Jesse Voit as Regional Vice President of Business Development serving Wisconsin, Illinois, and Michigan. Jesse brings a wealth of banking and technology experience to help serve financial institutions throughout the region. As an integral part of the FIPCO team, Jesse looks forward to continuing those relationships and building many new ones as well.
Jesse currently resides in Wisconsin Rapids and is active with the South Wood County Humane Society, serving as Vice President of the Board. We consider ourselves fortunate to have Jesse with us as we continue to deliver our innovative, customer-centric products and services to you. He will take good care of you.
Jesse is in the process of contacting you to arrange an opportunity to personally introduce himself. In the meantime, please feel free to call Jesse at 715-451-9989 or email him email@example.com with your immediate needs. We thank you for your business and look forward to a continued mutually rewarding relationship with you.
By, Ally Bates
On Wednesday, April 14, Federal Deposit Insurance Corp. (FDIC) Chair Jelena McWilliams stated her top concern for the sector is banks’ reliance on outdated legacy systems.
During a virtual conference hosted by the Consumer Bankers Association, McWilliams was asked – if given a “magic wand” – what about the banking system she would change. Her response pointed to the possibility of banks’ outdated internal processes and legacy software that “frankly are impeding their ability to move forward” and threatening the resiliency of the sector.
“There are several things I would like to see done differently within the banking system,” McWilliams said, “but I will say No. 1 is something that concerns me on a longstanding basis, which is the legacy systems.”
Pam Kelly, president of Financial Institution Products Corporation (FIPCO), agreed that banks’ reliance on legacy systems is a significant hurdle in a digital transformation.
“Part of the challenge in leaving legacy behind is legacy systems contain a significant amount of data banks need to drive insights and make decisions today,” Kelly said. “Careful planning and development of a road map can help determine what systems to replace or where a wrapper or API could play a role in the modernization plan.”
Creating a modernization plan is an important step in promoting new technologies and, as McWilliams stated, can lead to greater concerns within your organization down the road.
“It becomes very complicated when you're bogged down by legacy systems and an ongoing contract that you have, whether it's with your core processor or other entities, or simply the legacy computer systems you have within your organization,” McWilliams continued. “It becomes really difficult to manage all that in a safe and sound manner and not have any issues.”
Kelly further noted that the improvement of a technology ecosystem, digital or not, should help transform a business and help them “achieve new and improved services and experiences.” It is a plan that should be well thought out and a process that should be carefully considered.
“Often, we see a new technology and think – ‘we need that,’” said Kelly. “Yet, instead of focusing upfront on the technology, focus on the what the bank wants to accomplish with their business and then determine the how.”
Click here to learn more about FIPCO, a wholly-owned WBA subsidiary, and its services.
By, Alex Paniagua
It was not that long ago when thresholds requiring real estate appraisals were raised that got bankers excited. It meant lower closing costs and faster processing times, but not all good deeds go unpunished. Just ask your credit underwriters and analysts who have been busy performing real estate evaluations since 2019. The increase in appraisal threshold also meant a substantial increase in internally prepared property valuations.
While this threshold change was a new opportunity for lenders to increase their loan pipelines, most of the appraisal regulation did not change, including the need for qualified and competent staff to perform such services. As mentioned in the Interagency Appraisal and Evaluation Guidelines, an institution should maintain documentation to demonstrate that the appraiser or person performing an evaluation is competent, independent, and has the relevant experience and knowledge for the market, location, and type of real property being valued. I would be remiss if I did not emphasize these qualifications, especially if you have an upcoming examination.
Just when we thought we might be gaining regulatory ground, it feels like we took two steps backwards. Banks found themselves in a new paradigm by turning staff into appraisers, but without the necessary education or, in some cases, independence. And you can bet that your next examination will have increased scrutiny, if it hasn’t already.
So, what is a banker to do to take advantage of the new thresholds? Recently, I sat down with Trendon Albers from Akrivis Real Estate Valuation Services to discuss this quandary and seek out alternative solutions. After all, ShareFI’s value-added services are here to help solve problems for community banks.
Trendon explained, “Since the inception of new appraisal thresholds, Akrivis Real Estate Evaluation Services’ niche is to provide property evaluations to community banks in a manner that compliments their credit needs and processes. And the use of quality evaluations is increasing as we see a decline in appraisers and extended appraisal times.” With their certified staff of professionals and access to many of the same data sets as full appraisals, they too are solving an ever-growing problem for our industry: increased reliance on good evaluations. That fit perfectly into ShareFI’s business model of continuous improvement and most likely would be a good fit for your bank as well. As we have learned over the years, not all regulatory relief comes without a price. Next time, let’s discuss appraisal reviews and how your bank can become more cost-efficient in this area. Until then, if you would like to learn more about ShareFI’s compliance risk and management services or how Akrivis Real Estate Valuation Services can benefit your credit operations, please reach me at firstname.lastname@example.org. I would love to chat.
Schmid is director-compliance & management services for FIPCO.
By, Alex Paniagua
Until now, escrow disbursement in Wisconsin has been a normal yet frustrating routine as you come to the close of another year of paying property taxes. This is the time when mortgage servicers (or that demanding customer who wants to change things up, regardless of how they contracted for escrow disbursement) find out if the mortgage loan closed earlier this year correctly calculated property tax due.
But this year is going to be much different, and as mortgage servicers who are bound by the Real Estate Settlement Procedures Act (RESPSA), and/or by WI Statute 138.052, you now have to deal with customers whose mortgage payment in 2020 was either deferred or followed forbearance benefits under the CARES Act. And that, my servicing friends, makes things more complicated. But there are options.
First, when entering into the informal forbearance agreement with your customers earlier this year, I hope you convinced them, at the very least, to keep current with the escrow portion of the monthly payment. While the CARES Act and your investor allowed for delayed monthly payment, there was no provision to delay, defer, or suspend property tax due to the municipality at the end of 2020. This holds true if you deferred mortgage payments for mortgage loans held in your portfolio as well. If your customer missed these payments, there will not be enough escrow balance to pay this year’s property taxes.
Second, under WI Statute 138.052, you and your customer agreed to a way money held in escrow would be disbursed. Typically, I find the most accepted method is to disburse the funds held in escrow payable to both the borrower and municipality and to do so by Dec. 20. But don’t forget that your third option is to pay the property taxes when due. In Wisconsin, taxes are due Jan. 31, or alternatively in installment payments due Jan. 31 and July 31. If you are following your signed disclosure and disburse the funds held by Dec. 20, the customer may not have enough to pay property tax and will be calling you to help figure out a solution – but not until after you mailed them the check. I recommend you be proactive with those deferred payment customers and re-establish the method in which escrow will be disbursed prior to Dec. 20 and consider option three of section 138.052. Don’t forget to get a new agreement in place if you go this route.
Third, you can overdraw the escrow account and fund the entire amount of the expected property taxes that would be due by Dec. 20. While this will make your customer happy, it could put both you and them at risk. Don’t forget, this new balance will be included during your annual escrow analysis in early 2021 and force the shortage to be made up over the next nine to ten months. The result could be payment shock to your customer and multiplied if the 2020 tax bill increased. Before exploring this option, I would re-underwrite the debt-to-income of the customers to be sure they can afford this option.
Fourth, what about those customers who do not escrow, but fell on hard times during COVID and also experienced a cash shortfall this tax season? As a servicer and community banker, I would proactively reach out to customers to visit with their mortgage lender to pursue viable options, including the establishment of a new escrow account.
Finally, any proactive steps you can take in the next few days and weeks will help your mortgage servicing team deliver good customer service and reduce the unnecessary burdens of re-processing escrow disbursement payments. Your customer will thank you for it too.
If you have questions about your escrow process or compliance issues surrounding your options, please contact me at email@example.com. Together we can help you find the right solution.
Schmid, CRCM, CERP is director of compliance and management services at FIPCO. He can be reached via email or 608-441-1220. You can find more regarding FIPCO's compliance and management services by clicking here.
By, Alex Paniagua