Tag Archive for: Risk Management

Posts

Corn seedling
,

Experts at Marquette Event Say It’s Time for Banks to Focus on Climate Change

By Paul Gores

Efforts to mitigate climate change are under way globally, and banks of all sizes would be prudent to prepare for regulations that climate concerns are bound to spur, experts say.

Getting ahead of the curve now will give banks time to develop a thought-out strategy rather than having to deal with it quickly as mandates are issued, according to speakers at a recent Marquette University banking conference titled, “Climate Change: What are the risks, realities, and challenges?”

Although at this point only banks with assets of $100 billion or more are being targeted to include climate risk considerations in their examination routines, eventually those rules will find their way to smaller banks and credit unions, said Kent Belasco, the director of Marquette’s commercial banking program, which hosted the online conference this spring.

Belasco, who has held annual commercial banking conferences on topics such as cybersecurity, financial crimes, and fintech, said he felt the time was right to look at what banks need to know about the eventuality of regulations focused on climate change.

“What I wanted to structure was just purely an informational session that says, OK, it may not be affecting me from a regulatory standpoint right now, but me, as a former banker, I knew that whenever the Fed started talking about something — even if they said it’s not going to affect you right now — it will, and you better get prepared for it,” Belasco said in an interview for the Wisconsin Bankers Association about the event.

Speakers at the Marquette conference were in agreement there is no doubt climate change risks and regulations for banks are coming, and banks should not only prepare for inevitable new rules, but also consider the transition to sustainable fuels and lending to greener businesses a growth opportunity. They acknowledged it may seem intimidating at first, but said banks can adapt.

“You guys have navigated really tough crises in the past, and here you are,” said Ariana Gomez, founder and chief executive officer of the consulting firm Technology for Impact.

She said bankers should ask themselves how they can be “an accelerator” in the transition.

“Because you hold the money at the end of the day. How can you be an accelerator here and grow your own business by doing the right thing?” Gomez said.

Michael Cohn, a principal at the Boston-based consulting firm Wolf & Company, said some companies he works with are early adopters that see what’s coming.

“They clearly see social and societal and consumer behavior beginning to drive the selection of companies that they want to do business with,” said Cohn. “They are not afraid of moving forward, even in the face of all the ambiguity that still exists out there.”

He said management teams for those companies know that if they move early, they can take their time to develop plans.

“And if they take their time and they can be thoughtful, they will be able to implement these programs at less expense,” Cohn said.

One hurdle that could keep some banks on the sidelines for now is the political debate over climate change. Not everyone is yet convinced it’s a risk they should have to account for — or in some cases, whether it’s even the great threat many consider it to be.

Shareholders at three of the nation’s biggest banks — Citigroup, Bank of America, and Wells Fargo — this spring voted down proposals aimed at reducing their lending to new fossil-fuel projects.

However, the proposals cleared thresholds to qualify for resubmission next year, according to a report by American Banker.

Regardless of the politics around climate change, many nations, including the U.S. government and its agencies, are taking it seriously. In the U.S., efforts are starting to come from various federal regulators, including bank regulators. While the focus now is on the biggest institutions, it will widen, the experts said.

In December last year, the Office of the Comptroller of the Currency released a document, “Principles for Climate-Related Financial Risk for Large Banks,” aimed at banks with more than $100 billion in assets.

“At the same time the OCC said that all banks, regardless of size, may have material exposures to climate-related financial risks,” environmental attorney Jason Lichtstein said during the Marquette conference.

Climate change, simply put, is the long-term change of weather and temperatures resulting from the burning of fossil fuels. Greenhouse gases from fossil fuel consumption move into the earth’s atmosphere and capture heat from the sun, causing the global temperature to rise.

Lichtstein, citing the National Oceanic and Atmospheric Administration, said climate change impacts are happening now and increasing in scope, frequency, and intensity. In 2020, there were more than $22 billion weather and climate disasters in the U.S., a record, he said.

“From 1980 to 2021, there was an annual average of 7.7 events, and the annual average for the most recent five years, from 2017 to 2021, was 17.8 events,’’ said Lichtstein, whose practice with the national law firm Akerman LLP focuses on the cleanup and redevelopment of brownfields and other contaminated sites.

The international goal is to hold the global temperature increase to no more than 2.7 degrees Fahrenheit by 2050.

The Biden administration is seeking to reduce U.S. greenhouse gases by 50% to 52% from 2005 levels by 2030. The longer-range goal is net zero emissions by 2050. Net zero means producing less carbon than we take out of the atmosphere.

Industries producing the most greenhouse gases are energy, transportation, manufacturing, building, and agriculture.

The fallout from climate change includes higher sea levels and more destructive storms, floods, and wildfires. Among financial risks include potential market and credit losses, equity and bond price declines, carbon asset write-downs, falling property values and the costs of transitioning to cleaner energy.

A 2019 report by the firm Oliver Wyman, “Climate Change: Managing a New Financial Risk,” stated that in addition to operational and market risks, climate change can lead to increased credit risk for banks. The report said, for instance, that mortgage portfolios could be hit by events that reduce property values.

In a report last year, the Wisconsin Initiative on Climate Change Impacts, which is a statewide collaboration of scientists and stakeholders formed as a partnership between UW-Madison’s Nelson Institute for Environmental Studies and the Wisconsin Department of Natural Resources, said that since 2011, data in the state showed continued warming, increases in rain and snow, and more-frequent extreme rainfall events.

“Statewide temperatures have warmed by about three degrees Fahrenheit and precipitation has increased by nearly twenty percent since 1950,” the report says. “In the last decade, nearly every region of the state has experienced extreme rainfall events that led to flooding of roads, homes, businesses, and farm fields.”

The Wisconsin report said, among other concerns, that warmer winters, increasing deer herds, extreme weather events, summer droughts, and longer growing seasons are stressing forest ecosystems and increasing the risk of outbreaks of new pests and diseases.

“Iconic species like the paper birch are vanishing from northern forests as the climate warms,” the report says. “Forest management, logging, and the forest products supply chain are facing uncertainty, with implications for rural economies.”

In the future, banks are likely to be required to account for how their lending — the businesses they lend to — could affect climate change. They also are expected to have to account for whether their key third-party vendors are complying with efforts to mitigate climate change, participants in the Marquette conference said.

“We are observing all the time that nobody has yet put in good solid detailed vendor due diligence and vendor monitoring practices over whether their vendors have put in climate risk management programs,” Cohn said. “Nobody is there yet. It has not worked its way into one of the most basic risk management activities, which is monitor your vendors.”

Governments around the world are pushing for mandatory climate risk reporting, said David Carlin, who leads the Financial Stability Board’s Task Force on Climate-Related Financial Disclosures and the climate risk program for the United Nations Environment Programme Finance Initiative.

The task force has designed standardized guidelines to help organizations disclose material climate risks, explain plans to manage exposure, and describe how the shift to a zero-carbon economy would affection their operations.

“What we’re seeing is that there’s a lot of work on getting boards up to speed, getting executive leadership involved in the climate risk process on the governance side,” Carlin said. “On the strategy side, climate opportunities are an area that has been of increasing interest, and strategies are explicitly being developed alongside sustainable finance frameworks to bring those things to fruition.”

Unlike risk scenario analysis that can rely on the past to project what is likely to happen, climate change is dynamic, which makes it more challenging to predict risks.

One thing all banks should be aware of is that the customers and employees of the future — millennials and Gen Z — want their banks to be mindful of climate change and involved in slowing it. Those groups are “looking for places with purpose,” said Gomez.

“They want to work and earn a salary, but they also want to transcend, to have positive impact on the planet,” she said.

Belasco said he also has seen that motivation in college students he has trained.

“There is no doubt that millennials and Gen Z are hyper focused on the products and services they use and what is the impact to the environment when they go ahead and use them,” Cohn said.

Cohn said it’s time for banks to consider the risks that come with climate change.

“When we talk about climate and credit, we are worried about are we going to wind up with defaults because of companies that either are not making transitions, or they are so fossil fuel dependent that the markets and consumers move completely away and they cannot pay us back,” Cohn said.

He said banks need to analyze who they’re going to do business with in the future, even though brown industries and the world aren’t ready yet to shed their usage of fossil fuels. Banks must consider migrating funding to new green industries and slowly wean some of the brown industries.

“That’s where the banking system and banking, both at a national, regional, and community level, can have the biggest impact — because there are a lot of small companies out there that are doing the right thing,” he said.

It will be important for banks to establish — and soon — a panel or person to oversee the bank’s climate change efforts and set up a process for identifying, assessing, and managing climate-related risks, Cohn said.

“Committees provide two things: They provide oversight and they provide the approval for the provision of resources,” Cohn said.

Executives need to make sure climate risk is something everyone in the organization is on top of, although the chief risk officer probably is going to be “the orchestra leader for these plans,” Cohn said.

Cohn said even though it might seem overwhelming at times, banks should get started now because the pace of change isn’t going to slow down.

“The world right now is moving likely at the slowest rate of change it will for the rest of our lives,” he said.

Gores is a journalist who covered business news for the Milwaukee Journal Sentinel for 20 years.

/by
Cybersecurity graphic
, ,

What Community Banks Need to Know About Ransomware Attacks

By Cassandra Krause 

With a recent uptick in activity, ransomware attacks are a form of cyberattack that has been prevalent in recent news — and for good reason. The effects can be detrimental in terms of monetary loss and reputational damage to the victim. Ransomware is a type of malicious software (a.k.a. malware) that usually encrypts a victim’s files, and the bad actors have upped their game to steal the data first, then threaten to also publish the data to the public. Criminals set their sights on businesses with the goal of extorting money, making community banks prime targets. 

Organized crime networks are becoming increasingly sophisticated. In general, the risk of getting caught for cybercrimes is much lower than for traditional crimes like robbery, and the financial gains are far higher. Ransomware developers write and sell the software to other bad actors for a cut of the profits when they deploy it and collect ransom payment, usually in the form of cryptocurrency, which is hard to trace. Compromised data may also be used to open fraudulent lines of credit. 

“The U.S. is in a ransomware crisis right now,” said Jeff Otteson, vice president of sales at Midwest Bankers Insurance Services (MBIS), a subsidiary of the Wisconsin Bankers Association. He explained that it has created a hard insurance market with carriers tightening up on internal control requirements such as multifactor authentication (MFA) for privileged users (users with the ability to install software or change security settings on critical systems) and encryption of backups. 

In their 2021 Cost of a Data Breach Report, IBM Security and the Ponemon Institute calculate that the average total cost of a data breach is $4.24 million, a 10% increase from 2020–2021. The per-record cost of personally identifiable information averaged $180. 

Prevention 

With the incredibly high stakes in mind, banks are dedicating significant resources to preventing malicious cyberactivity, both in terms of staff and money. Respondents to a 2020 Deloitte survey of financial institutions reported spending about 10.9% of their IT budget on cybersecurity on average, up from 10.1% in 2019. In terms of spending per employee, respondents spent about $2,700 on average per full-time employee (FTE) on cybersecurity in 2020, up from about $2,300 the prior year. 

“There is an industry-standard framework for ransomware prevention and all cybersecurity,” explained FIPCO’s Director InfoSec and Audit Ken Shaurette. FIPCO is also a WBA subsidiary. A good consultant will walk the bank through a comprehensive review of their network security, improving endpoint protection to replace traditional antivirus and endpoint detection solutions, including adding authentication improvements such as MFA, improved password strength, and protecting backups. As more and more of the digital tools that bankers utilize require users to download and install software and updates, depending on signature-based solutions for malware detection is not acceptable — it has become critical to safeguard user, file, network, and device-level activities. 

A bad actor gaining access to a bank’s data may encrypt the data and demand payment in exchange for granting access back to the bank. In this situation, having a data backup is essential.  

“The rule of thumb for data backups is 3-2-1,” said FIPCO Information Security and IT Audit Advisor Rob Foxx. “There should be three copies of all data stored on two different mediums. One of the copies should be stored off site.” 

Ransomware prevention is only one part of a complete cybersecurity system. Experts agree that early detection of unusual activity within a system can help keep a minor incident from quickly escalating into a major incident like a ransomware threat. 

“Ransomware isn’t the first attack,” said Wolf & Company, P.C. Manager of the I.T. Assurance Group Sean Goodwin, who recently presented at WBA’s Secur-I.T. Conference. “Ultimately, it’s on I.T. to put controls in place because an employee will inevitably fall for a phishing email. It becomes a question of whether we can catch that quickly.” 

Social engineering remains the greatest concern; it’s easier for bad actors to trick an employee rather than break through a firewall. Verizon’s 2021 Data Breach Investigations Report found that almost half of the breaches in the financial services industry involved internal actors committing various types of errors. The report stated that the financial sector frequently faces credential and ransomware attacks from external actors, 96% of which are financially motivated (followed by small percentages of motives of espionage, grudge, fun, and ideology). 

Goodwin emphasized that I.T. must be able to act quickly when there’s an indication that someone is accessing something they don’t normally access. “Prevention is ideal. If we can prevent it, that’s best-case scenario, but if not, early detection becomes critical,” he said. This area of solution, known as endpoint detection and response, is rapidly becoming a key point of protection from ransomware and all other malicious events. 

Establishing an incident response program within a bank is an important part of the overall cybersecurity program. 

Preparation 

Creating a culture of cybersecurity awareness throughout the bank is important, so that bank employees are prepared for an incident. Employee training on what to do in the event of an attack should be standard practice. Making security part of the organization’s DNA is a best practice. 

“Every bank needs an incident response plan, and that needs to be approved all the way up through the board. Part of this plan is notification of incidents to the insurance carrier,” said MBIS’s Otteson. 

FIPCO’s Foxx emphasized that the roles and responsibilities in the incident response plan must be clearly defined, and banks should revisit their plan regularly.  

“As the insurance agent, I’m the first call a bank makes when there’s an incident,” said Otteson. “It’s important that banks choose to work with an agency that understands cyber insurance.”  

MBIS insures about 220 banks and has access to a large number of carriers that provide the right coverage for their customers. Otteson recommends reporting all incidents as even a minor incident could result in a claim down the line and having reported that incident when it occurred is key to a successful claim. He says to keep in mind that the owner of the data is liable for it whether the incident occurred in house or with a vendor the bank shared customer data with. 

Mitigation 

It’s important to work with the insurance carrier to ensure that all the bases are covered and that the vendors who participate in the response are approved. Not using the cyber insurance carrier’s approved vendors may result in expenses not being covered under the insurance policy. In the event of a ransomware attack, the insurance agent or bank will immediately notify the insurance carrier. Beazley, a carrier partner of MBIS, maintains a 24/7 helpline, which has become common with other carriers as well. Knowing how to report incidents, when to report, and what to expect is key. 

Holidays and weekends are prime times for ransomware attacks: employees who are in a rush to leave may be more likely to click on a bad link, and with employees away from work, it’s easier for the bad actors to get into the network. Even if a problem is detected, it’s more likely that staff who could help put a stop to the attack may be on vacation or unavailable, buying the criminals more time to take over. 

As soon as a cyber liability claim is made, the insurance carrier’s pre-approved vendors come into play.  

“Nobody has the resources in house to effectively manage ransomware attacks,” said Foxx, who has experience working both within a bank and as an external auditor and consultant. The specialization of skills and the amount of people needed to perform adequate analysis and remediation are so significant that even large banks will not have all the players they need on staff. 

If a bank’s data becomes encrypted and made inaccessible, a vendor such as Tetra Defense would be engaged on forensics. Managed endpoint detection and response vendors such as Cynet can help from detection and prevention to response, including providing digital evidence for a vendor performing forensics. Meanwhile, a vendor such as Coveware would handle ransom negotiations with the criminals. Wolf & Company, P.C.’s Goodwin said that you don’t really know who’s on the other side of the transaction — some criminals may be willing to negotiate and others not. He referred to ransomware as a “niche space in cybersecurity that is now getting more attention.” The criminal organizations involved in these types of attacks in some ways act like a legitimate business in that they rely on their reputation and may even have customer service departments — if they fail, it will hurt their chances of getting more business in the future.  

Typically, in the event of a ransomware attack, a legal firm will handle communications and PR for the bank — putting a statement on the bank’s website, assisting staff with customer phone calls, and determining whom to notify. Getting legal involved early protects all communications and discovery with attorney-client privilege. The requirements for notification vary from state to state, and a bank may have customers in multiple states or even other countries, making the expertise of a legal team invaluable. The language used in communications matters, as the term “breach,” for example, can have different legal implications and potentially create larger issues than terms like “incident,” “situation,” or “event.” Education of staff far in advance using regular testing of the plan is a key factor in mitigating an incident. Inappropriate statements made by employees on social media or even at informal social gatherings can have severe ramifications for the bank. 

Follow Up 

While anyone who experiences a ransomware attack may be eager to breathe a sigh of relief and move on when it is over, it is essential to review the incident and revise the bank’s incidence response plan. Assessing what went well and what needs to be improved are critical steps.  

Goodwin also warns that victims of ransomware are commonly re-targeted. A Cybereason study found that 80% of organizations that previously paid ransom demands confirmed they were exposed to a second attack. He said that once a company has paid a ransom it is known that (1) you were compromised, (2) you do not have proper backups of your files, and (3) you were willing to pay. 

Summary 

Cyberattacks are the biggest risk to a financial institution — even surpassing the risk of past-due loans. The cost of a ransomware attack can be astronomical, with many factors contributing to the price tag, including vendor fees and staff hours to resolve the issue; the cost to inform customers and offer identity or other protections; the loss of destructed data; and the down time of the business. All of this, followed by the loss of customers’ trust (and subsequent loss of their business), has the potential to put a community bank out of business.  

There are safeguards banks can put in place, including a sound incident response plan, improved monitoring with better endpoint detection and response, cyber liability coverage, and employee education. FIPCOMBIS, and a wide range of WBA Associate Members are ready to support banks in keeping their data and that of their customers safe.  

/by
,

Get to Know MBIS: Insurance for Banks, From People Who Know Banks

Bankers understand risk management. That’s what the business of banking is all about, after all. Bankers accept the risk of protecting their customers’ funds and manage the risk of extending those funds out as loans to build the community. Without effective risk management, no bank can be successful.  

That’s why Wisconsin Bankers Association wholly owned subsidiary WBA Employee Benefits Corporation (EBC) partnered with the Minnesota Bankers Association nearly a decade ago to form Midwest Bankers Insurance Services LLC (MBIS). This partnership created an insurance agency dedicated to providing community banks with comprehensive insurance options.  

As an association-owned entity, ultimately the revenue generated by MBIS flows back to support the overall mission of WBA, which is to support you, our member banks. Another advantage of working with MBIS: we serve only you. The banking industry is the only market MBIS serves; its products are specifically tailored to banks’ insurance needs. All of MBIS’ financial products are designed to protect banks, their officers, directors, and employees from disasters of all kinds.  

Because MBIS is owned by your association, you can rest assured we’re working on your behalf and you can contact us with concerns. For example, recently, we have fielded questions from bankers wondering about the impact of the current pandemic on pricing for their D&O liability policy renewals. Some experts have stated they expect increases of nearly 50% as a result of emerging claims related to COVID-19.  

Our response: while the D&O markets are a bit shaken right now, the banking sector has not seen the significant premium increases other areas have. However, some carriers are tightening in various ways, including more disciplined risk selection, increased retentions, lack of three-year prepay options, and narrower terms and conditions. 

MBIS’s lead D&O carrier, AmTrust, continues to offer broad terms, conditions, and less-than-market pricing with three-year prepay options. The MBIS-negotiated D&O forms have been broader than what we have experienced with policy forms negotiated by other agencies.  

For more guidance and insight like this, you need to work with an agency that knows banking as well as it knows insurance. That’s MBIS.  

Find out how MBIS can help your bank manage risk, and join our over 200 bank clients in Wisconsin, Minnesota, and North Dakota in enjoying peace of mind. Contact Jeff Otteson at 608-217-5219 or jeffo@mbisllc.com today. 

Lund is WBA executive vice president – chief of staff and president of EBC and MBIS. 

By, Amber Seitz

/by
WBA logo

questions@wisbank.com

608-441-1200

4721 S Biltmore Ln.
Madison, WI 53718

Get our Newsletter!
Subscribe