Tag Archive for: Risk Management

Posts

,

Community Banking and Risk Premia

By Corey Chambas, CEO, First Business Financial Services, Inc.

Corey Chambas

As a fundamental economic principle, there is typically a fair trade-off between risk and return. In the investment world, where risks are taken on various asset classes, risk premia are the returns received above the risk-free rate earned in exchange for taking that risk. Where there are sufficient buyers and sellers of assets/securities, the market is assumed to generally be efficient, with an appropriate level of reward for a commensurate level of risk. For example, a company’s bonds pay a lower expected return than the same company’s equity because bondholders are paid first in a liquidation, and thus, equity has higher risk. Therefore, the equity will have a higher return to fairly compensate for the higher risk.

When it comes to risks taken in banking, however, this risk/return trade-off does not always hold. I posit that there are three major categories of risk for community banks — credit risk, operational risk, and balance sheet risk — and the compensation for these risks is not necessarily commensurate with the degree of risk taken.

In community banking, credit risk is the one risk that follows the rule of providing a proportionate return for the risk taken. Fundamentally, banks take in deposits that are relatively risk-free for the depositor — either explicitly insured by the FDIC or, based on most historical precedents, implicitly backed by the FDIC. Therefore, depositors accept a fairly low risk-free rate on their deposits for both convenience reasons and for reasons of risk and return. On the other hand, when banks lend money, they are taking on real risk of loss. Therefore, they earn a higher rate than they pay on deposits and thus generate spread income. This net interest margin is the fundamental earnings stream of community banks.

Since the vast majority of community banks’ income is earned via spread income, their business model dictates accepting credit risk by lending money to local businesses and individuals.  Therefore, they must be expert at pricing for the risk they are underwriting. It is necessary for banks to take this risk and earn the fair/market reward to generate a return for their shareholders, pay their employees, and support their communities.

On an editorial note, this fundamental aspect of banking makes community banking an honorable and critical endeavor, as this local lending activity is the financial lubricant that allows businesses to grow and individuals to fulfill their dreams. Healthy community banks help create prosperous local businesses and thriving communities.

On the other end of the spectrum is operational risk, which is a risk that has no return. It is simply the ante for being in the banking business. This area includes things like compliance, fraud protection, cybersecurity – the list goes on. This cost of doing business is an ever-increasing challenge. Banks are not only prime targets for the bad guys because, as Great Depression-era bank robber Willie Sutton famously quipped when asked why he robs banks, “That’s where the money is”, banks are now also where the potentially even more valuable data is.

For this uncompensated risk, community banks need to diligently mitigate operational risk in the most effective and efficient manner possible.

The third risk area, balance sheet risk, encompasses interest rate risk, liquidity risk, and risk of capital loss. The first two risks discussed are mandatory – banks cannot make money without taking credit risk and, by virtue of the industry, they take on operational risk. Balance sheet risk is more interesting because much of it is optional, and the associated return is relatively small and can even be negative. So, the question to be answered is whether this risk is worth taking.

In a “normal” upward-sloping yield curve environment, banks earn additional return by taking interest rate risk – funding short with floating-rate deposits and lending long with fixed-rate loans. However, much of the time, the differential earned is really not very significant and clearly not as substantial as the premium earned by taking credit risk. Lending spreads for most banks are typically in the 3% to 4% range. However, the spread between the three-month Treasury bill and the five-year Treasury has averaged a much less 0.50% over the last 10 years. This spread, which is indicative of the interest rates in the part of the yield curve in which banks most often fund and lend, has varied widely from negative 1.91% to plus 2.24% over that timeframe and sits at negative 1.35% as I write this.

The only way to really win is if the bank can accurately predict what is going to happen with rates, and studies have shown it is extremely hard to predict future inflation and interest rates. In fact, it could be called a fool’s errand. See the graph below, which shows that even the Fed — who sets the fed funds rate — cannot accurately predict the fed funds rate!

I remember how very sure I was after the Great Financial Crisis that rates had to go up, and the rate forecasts all showed rising rates. That position was wrong for over a decade.

More recently, banks were caught wrong-footed as very few anticipated and prepared for a 500 basis point rate increase, as evidenced by Accumulated Other Comprehensive Income (“AOCI”) adjustments and mismatched loan books that resulted in severely squeezed margins.

As Yogi Berra said, “It is difficult to make predictions, especially about the future.”

When doing a risk assessment, ranking a risk in terms of its likelihood and severity is often used. The real concern when taking interest rate risk is the severity, not just because of the impact on net interest margin but also because of the correlation with the other balance sheet risks. The compounding issue is the confluence of the timing of risks, whereby margins are squeezed, and thus earnings accumulation is degraded, precisely when securities portfolios lose value, both putting pressure on capital levels. In addition, as we have seen, this type of environment can potentially cause concern for the health of the bank and a resultant loss of funding and liquidity. There is also no quick fix to the situation, as it takes a significant amount of time to unwind this mismatched position during an inverted yield curve. While you can liquidate a mismatched and underwater securities portfolio, it comes with an additional hit to capital. As for the mismatched and underwater loan portfolio, even beyond the capital impact, liquidating those assets is not really an accessible option.

Making matters worse, the typically available option of selling the bank is also likely off the table, as an acquirer not only needs to pay something for the bank but will also need to raise enough new dilutive capital to fill the mark-to-market hole, as the whole balance sheet of the acquired bank is marked in the acquisition. This creates a perfect storm of losing a valuable strategic option on top of a poor future performance outlook and a degradation of capital.

Consequently, while there is often an incremental return to be gained from taking interest-rate risk, the overall balance sheet risk and the resultant risk of impairing the inherent value of the business, may be analogous to the concept of picking up pennies in front of a steamroller.

In many ways, community banking is simple but not easy. Discipline and diligence are necessary. Choosing which risks to take and which to avoid, and how to manage and mitigate the risks taken, are key decisions for bank management teams and their boards. Community banks are the backbone of local communities, their businesses, and their citizens. Consequently, prudent management of community banks is not only important for their shareholders, but for all the stakeholders relying on them to facilitate local prosperity.

Corey Chambas is CEO of First Business Financial Services, Inc., parent company of First Business Bank. Member FDIC. For additional information on balance sheet risk management strategies for your bank, visit firstbusiness.bank/bank-consulting.

/by
, ,

Banking Industry Awaits Rate Drop

By Malcolm McDowell Woods

At financial institutions across the state, all eyes remain on the Federal Reserve, waiting to see how quickly and how drastically interest rates move yet this year. While there’s a strong consensus that a rate drop would be beneficial, industry insiders are mostly voicing their hopes that whatever happens comes gently.

At the start of 2024, expectations were that the Federal Reserve would enact a series of interest rate decreases over the course of the year, as long as economic forecasts proved accurate. After the first quarter of the year passed without any rate changes and following a quiet meeting of the Federal Reserve in mid-March, Federal Reserve Bank Chair Jerome Powell said he still expected rate cuts later this year. For now, rates remain high, pushed there through a series of hikes enacted first in response to the economic fallout of the COVID-19 pandemic. Those dizzying jumps, moving the base rate from a low of zero to the current 5.25–5.50%, came fast and furious over a short two-year span, leaving banks a bit shell-shocked and struggling to adapt.

It’s made for rough waters, but analyst Marc Gall, a senior vice president of the Financial Institutions Group at BOK Financial Capital Markets, thinks anyone expecting huge rate cuts anytime soon should temper their expectations.

“The expectation the market has for this year is that the Fed is going to cut interest rates between two to three times, likely towards the second half of the year,” explained Gall. “The outlook has been that the economy is going to start slowing down, that we’re going to start getting closer to a recessionary time, and that’s what’s going to cause the Fed to start dropping the interest rate.” The challenge for the banking industry, said Gall, is that everyone is left waiting for something to happen.

And waiting. “What a ride,” is how Nicolet National Bank CFO Phil Moore jokingly described the past couple of years. As a bank catering to commercial and industrial customers, Nicolet’s portfolio contains many fixed-rate, short-duration loans that couldn’t be adjusted when rates rose so dramatically. Nicolet has managed to emerge unscathed, but it wasn’t much fun, said Moore. The volatility is tough to manage, he said. “It’s not impossible — we dealt with the ups — but it’s just that much more challenging, there’s more financial risk.”

However, the nature of Nicolet’s lending portfolio — short, two-to-three-and-a-half-year duration loans, works in the bank’s favor, according to Moore. “You know, you hold your nose for three and a half years. It doesn’t feel like too much risk at this point in time, and we feel very comfortable managing that.”

What does Moore anticipate happening over the remainder of the year? “I don’t know, and ask me again in two weeks and I still won’t know,” he laughed. “It’s been crazy right. The market and the Fed have certainly not been reconciled with their thinking, though it seems to me that at least they are getting closer to being reconciled. But what a painful ride it has been, because of the severity and the steepness of the 500-basis-point jump that we just lived through.”

At Peoples State Bank in Wausau, CFO and Senior Vice President Jessica Barnes admits that the rapid and steep rate hikes were challenging. “For someone in my position,” she said, “it’s kind of been fun and exciting in a sick way, but definitely challenging. [Those] very rapid rate jumps were just something I’d never seen before in my career. It was hard to adjust to and make sure we’re still serving our customers adequately.”

The swift hikes reduced the value of investment portfolios at most banks, raising concerns about liquidity.

“It’s funny, because when banks have liquidity and funds available to invest, it’s not as good a time to invest because rates are usually low,” said Barnes. “But when rates are very high, like they are today — and I do believe that we’re at our peak — cash is not as abundant to invest.” Her bank’s approach has been to consciously diversify the structure of its portfolio, so it will perform well in different environments. The bank will also seek opportunities to sell some of its lower-yielding securities that have longer durations for higher yields to help with profitability.

That strategy reveals Barnes’ belief that significant interest rate cuts are unlikely in the near future. “If I believed they were going to be lowered very soon, you could make a case that we could just sit on those larger unrealized losses” for the short term. But Barnes isn’t holding her breath. “We’ve held the view since last year that there wouldn’t be as many rate cuts as were being predicted. When we put together our 2024 plan, we didn’t factor in any rate cuts. And so far that’s been a pretty correct assumption.”

At the Bank of Wisconsin Dells, Senior Vice President and CFO Tracey Pierce is in agreement that any rate cut yet this year will be minimal and later in the year.” I think the curve will somewhat normalize through a series of rate cuts, but at a slow pace for now,” she said. “Probably looking at the fourth quarter, something like 25 basis points.”

That would help most banks, hers included, but only incrementally.

“The perception among some bankers is that all we need is for the Fed to start cutting rates and everything will be okay,” noted Gall, but he doesn’t see banks deriving much cost savings on the deposit side from what he thinks will be small cuts. “Really, the Fed needs to cut a lot in order for things to get materially better on the margin side in the short term. And again, if the Fed starts cutting rates, that’s incrementally beneficial over the long term, but most of them need a big drop quickly, which is not what the outlook is for this year.”

That means the potential for continuing squeezed margins and questions of liquidity, issues that came to the fore last year after several bank failures across the country. Gall and others say it has resulted in an increased scrutiny on liquidity from bank regulators.

“Liquidity really is the biggest concern for our industry right now,” said Pierce, of the Bank of Wisconsin Dells.” We’re starting to see the effects of inflation on our deposits.” Inflation has forced consumers to spend excess savings, leaving banks with fewer funding sources.

Gall added that the volatility of the past several years has impacted banks across the state differently. “There are some banks right now that have very good earnings that have enjoyed even higher earnings as interest rates have risen, but there are others that have seen their earnings drop significantly. It means the range of performance between Wisconsin banks is the widest it has been in a very long time.”

Finally, muddying the waters is the looming shadow of the presidential election in November. Traditionally, the Fed has preferred to avoid making significant policy moves near the election, lest it be accused of interfering with politics, but no one knows for sure what will happen. “So that’s a wild card, right?” said Moore.

Just what the banking industry doesn’t need — more uncertainty.

“It’s my greatest fear,” concluded Moore. “It’s just so much more challenging to manage. I’m just hoping for consistency and stability.” He’s not alone.

McDowell Woods is a freelance writer and an instructor of journalism and media studies at the University of Wisconsin–Milwaukee.

/by
,

Executive Letter: 2023 Agencies Risk Perspectives

By Rose Oswald Poels

This year was a very busy one from a banking regulatory perspective with WBA and the industry engaging regulators on many different issues. As you look ahead to the new year, it is helpful to understand from the banking agencies’ perspectives the key issues they identify that are facing the industry.

The following summarizes the most recent risk perspective reports from the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB), and the Federal Deposit Insurance Corporation (FDIC), and will offer insight to bankers as you evaluate and revise risk strategies for the upcoming year:

OCC Semiannual Risk Perspective, Fall 2023

The OCC’s Fall 2023 Semiannual Risk Perspective presents data in five main areas — the operating environment, bank performance, special topics in emerging risks, trends in key risks, and supervisory actions. OCC reported that the overall strength of the federal banking system remains sound and that OCC expects banks to remain diligent and adhere to prudent risk management practices across all risk areas. Additionally, OCC stated that banks should continue to guard against complacency to ensure each maintains the ability to withstand potential future economic challenges.

The OCC highlighted credit, market, operational, and compliance risks, as the key risk themes. Highlights from the report include that:

  • Credit risk is increasing due to higher interest rates, increasing risk in CRE lending, prolonged inflation, declining corporate profitability, and the potential for slower economic growth. Key performance indicators are beginning to show signs of borrower stress across asset classes.
  • Rising deposit rates, broader market liquidity contraction, and increased reliance on wholesale funding started to impact net interest margins through the first half of 2023. Competition for deposits and higher interest rates are raising deposit rates. OCC reported deposit and liquid asset trends stabilized in the latter half of 2023, but the levels were supported by increased reliance on wholesale funding. Increases in interest rates are negatively impacting investment portfolio values.
  • Operational risk is elevated. Cyber threats continue. Banks continue to leverage new technology to further digitalization efforts, offering innovative products and services to meet customer demands. OCC warned that increasing digitalization efforts can also heighten risk of fraud and error, including fraud targeting peer-to-peer and other faster payment platforms.
  • Compliance risk remains elevated. OCC believes this is due to the heightened focus on ensuring equal access to credit and fair treatment of consumers, the expanded use of innovative technologies for product and service delivery, and expanded partnerships with third parties, such as financial technology firms, and increases in BSA/AML risk.

Federal Reserve Financial Stability Report, October 2023

The FRB’s latest Financial Stability Report was released in October in which FRB reports conditions affecting the stability of the U.S. financial system by analyzing vulnerabilities related to valuation pressures, borrowings by business and households, financial-sector leverage, and funding risks. Similar to the OCC, FRB reported that the banking sector remains sound overall, and that most banks continue to report capital levels above regulatory requirements. Nevertheless, FRB reports a subset of banks continued to face funding pressures.

The FRB’s report includes a discussion which considers possible interactions of existing domestic vulnerabilities with several potential near-term risks, including international risks. Survey contacts reflect the effect of persistent inflation and monetary tightening, insights regarding CRE, the reemergence of banking-sector stress, market liquidity strains and volatility, fiscal debt sustainability, and climate-related financial risks.

FDIC Risk Review 2023 Report

The latest FDIC Risk Review report incorporates data for 2022 through first quarter 2023, with insights related to the stress to the banking sector that emerged in March 2023. The report reflects risks on the key credit, market, operational, crypto-asset, and climate-related financial risks facing banks.

Regarding key credit risks, FDIC reported asset quality remained generally favorable as of first quarter 2023 despite modest deterioration. FDIC believes weaker economic conditions and higher interest rates may challenge bank loan portfolios, including credit card, C&I, residential real estate, and CRE loans.

From a markets perspective, FDIC reported market risks were primarily related to the effects of higher interest rates. Also, deposit outflows along with high levels of unrealized losses could pressure liquidity for some banks. FDIC reported the banking industry benefited from strong loan growth and higher NIMs in 2022, but higher funding costs reduced NIMs.

FDIC also reported that operational risks, including cybersecurity risks and risks related to illicit financial activity, remained elevated across the banking industry. FDIC also reported that crypto assets continue to present novel and complex risks that FDIC believes are difficult to fully assess. From FDIC’s perspective, climate-related financial risks include physical risk and transition risk, and FDIC’s report focuses on physical risk from severe weather and climate events.

/by
Corn sprouting in field
,

Experts at Marquette Event Say It’s Time for Banks to Focus on Climate Change

By Paul Gores

Efforts to mitigate climate change are under way globally, and banks of all sizes would be prudent to prepare for regulations that climate concerns are bound to spur, experts say.

Getting ahead of the curve now will give banks time to develop a thought-out strategy rather than having to deal with it quickly as mandates are issued, according to speakers at a recent Marquette University banking conference titled, “Climate Change: What are the risks, realities, and challenges?”

Although at this point only banks with assets of $100 billion or more are being targeted to include climate risk considerations in their examination routines, eventually those rules will find their way to smaller banks and credit unions, said Kent Belasco, the director of Marquette’s commercial banking program, which hosted the online conference this spring.

Belasco, who has held annual commercial banking conferences on topics such as cybersecurity, financial crimes, and fintech, said he felt the time was right to look at what banks need to know about the eventuality of regulations focused on climate change.

“What I wanted to structure was just purely an informational session that says, OK, it may not be affecting me from a regulatory standpoint right now, but me, as a former banker, I knew that whenever the Fed started talking about something — even if they said it’s not going to affect you right now — it will, and you better get prepared for it,” Belasco said in an interview for the Wisconsin Bankers Association about the event.

Speakers at the Marquette conference were in agreement there is no doubt climate change risks and regulations for banks are coming, and banks should not only prepare for inevitable new rules, but also consider the transition to sustainable fuels and lending to greener businesses a growth opportunity. They acknowledged it may seem intimidating at first, but said banks can adapt.

“You guys have navigated really tough crises in the past, and here you are,” said Ariana Gomez, founder and chief executive officer of the consulting firm Technology for Impact.

She said bankers should ask themselves how they can be “an accelerator” in the transition.

“Because you hold the money at the end of the day. How can you be an accelerator here and grow your own business by doing the right thing?” Gomez said.

Michael Cohn, a principal at the Boston-based consulting firm Wolf & Company, said some companies he works with are early adopters that see what’s coming.

“They clearly see social and societal and consumer behavior beginning to drive the selection of companies that they want to do business with,” said Cohn. “They are not afraid of moving forward, even in the face of all the ambiguity that still exists out there.”

He said management teams for those companies know that if they move early, they can take their time to develop plans.

“And if they take their time and they can be thoughtful, they will be able to implement these programs at less expense,” Cohn said.

One hurdle that could keep some banks on the sidelines for now is the political debate over climate change. Not everyone is yet convinced it’s a risk they should have to account for — or in some cases, whether it’s even the great threat many consider it to be.

Shareholders at three of the nation’s biggest banks — Citigroup, Bank of America, and Wells Fargo — this spring voted down proposals aimed at reducing their lending to new fossil-fuel projects.

However, the proposals cleared thresholds to qualify for resubmission next year, according to a report by American Banker.

Regardless of the politics around climate change, many nations, including the U.S. government and its agencies, are taking it seriously. In the U.S., efforts are starting to come from various federal regulators, including bank regulators. While the focus now is on the biggest institutions, it will widen, the experts said.

In December last year, the Office of the Comptroller of the Currency released a document, “Principles for Climate-Related Financial Risk for Large Banks,” aimed at banks with more than $100 billion in assets.

“At the same time the OCC said that all banks, regardless of size, may have material exposures to climate-related financial risks,” environmental attorney Jason Lichtstein said during the Marquette conference.

Climate change, simply put, is the long-term change of weather and temperatures resulting from the burning of fossil fuels. Greenhouse gases from fossil fuel consumption move into the earth’s atmosphere and capture heat from the sun, causing the global temperature to rise.

Lichtstein, citing the National Oceanic and Atmospheric Administration, said climate change impacts are happening now and increasing in scope, frequency, and intensity. In 2020, there were more than $22 billion weather and climate disasters in the U.S., a record, he said.

“From 1980 to 2021, there was an annual average of 7.7 events, and the annual average for the most recent five years, from 2017 to 2021, was 17.8 events,’’ said Lichtstein, whose practice with the national law firm Akerman LLP focuses on the cleanup and redevelopment of brownfields and other contaminated sites.

The international goal is to hold the global temperature increase to no more than 2.7 degrees Fahrenheit by 2050.

The Biden administration is seeking to reduce U.S. greenhouse gases by 50% to 52% from 2005 levels by 2030. The longer-range goal is net zero emissions by 2050. Net zero means producing less carbon than we take out of the atmosphere.

Industries producing the most greenhouse gases are energy, transportation, manufacturing, building, and agriculture.

The fallout from climate change includes higher sea levels and more destructive storms, floods, and wildfires. Among financial risks include potential market and credit losses, equity and bond price declines, carbon asset write-downs, falling property values and the costs of transitioning to cleaner energy.

A 2019 report by the firm Oliver Wyman, “Climate Change: Managing a New Financial Risk,” stated that in addition to operational and market risks, climate change can lead to increased credit risk for banks. The report said, for instance, that mortgage portfolios could be hit by events that reduce property values.

In a report last year, the Wisconsin Initiative on Climate Change Impacts, which is a statewide collaboration of scientists and stakeholders formed as a partnership between UW-Madison’s Nelson Institute for Environmental Studies and the Wisconsin Department of Natural Resources, said that since 2011, data in the state showed continued warming, increases in rain and snow, and more-frequent extreme rainfall events.

“Statewide temperatures have warmed by about three degrees Fahrenheit and precipitation has increased by nearly twenty percent since 1950,” the report says. “In the last decade, nearly every region of the state has experienced extreme rainfall events that led to flooding of roads, homes, businesses, and farm fields.”

The Wisconsin report said, among other concerns, that warmer winters, increasing deer herds, extreme weather events, summer droughts, and longer growing seasons are stressing forest ecosystems and increasing the risk of outbreaks of new pests and diseases.

“Iconic species like the paper birch are vanishing from northern forests as the climate warms,” the report says. “Forest management, logging, and the forest products supply chain are facing uncertainty, with implications for rural economies.”

In the future, banks are likely to be required to account for how their lending — the businesses they lend to — could affect climate change. They also are expected to have to account for whether their key third-party vendors are complying with efforts to mitigate climate change, participants in the Marquette conference said.

“We are observing all the time that nobody has yet put in good solid detailed vendor due diligence and vendor monitoring practices over whether their vendors have put in climate risk management programs,” Cohn said. “Nobody is there yet. It has not worked its way into one of the most basic risk management activities, which is monitor your vendors.”

Governments around the world are pushing for mandatory climate risk reporting, said David Carlin, who leads the Financial Stability Board’s Task Force on Climate-Related Financial Disclosures and the climate risk program for the United Nations Environment Programme Finance Initiative.

The task force has designed standardized guidelines to help organizations disclose material climate risks, explain plans to manage exposure, and describe how the shift to a zero-carbon economy would affection their operations.

“What we’re seeing is that there’s a lot of work on getting boards up to speed, getting executive leadership involved in the climate risk process on the governance side,” Carlin said. “On the strategy side, climate opportunities are an area that has been of increasing interest, and strategies are explicitly being developed alongside sustainable finance frameworks to bring those things to fruition.”

Unlike risk scenario analysis that can rely on the past to project what is likely to happen, climate change is dynamic, which makes it more challenging to predict risks.

One thing all banks should be aware of is that the customers and employees of the future — millennials and Gen Z — want their banks to be mindful of climate change and involved in slowing it. Those groups are “looking for places with purpose,” said Gomez.

“They want to work and earn a salary, but they also want to transcend, to have positive impact on the planet,” she said.

Belasco said he also has seen that motivation in college students he has trained.

“There is no doubt that millennials and Gen Z are hyper focused on the products and services they use and what is the impact to the environment when they go ahead and use them,” Cohn said.

Cohn said it’s time for banks to consider the risks that come with climate change.

“When we talk about climate and credit, we are worried about are we going to wind up with defaults because of companies that either are not making transitions, or they are so fossil fuel dependent that the markets and consumers move completely away and they cannot pay us back,” Cohn said.

He said banks need to analyze who they’re going to do business with in the future, even though brown industries and the world aren’t ready yet to shed their usage of fossil fuels. Banks must consider migrating funding to new green industries and slowly wean some of the brown industries.

“That’s where the banking system and banking, both at a national, regional, and community level, can have the biggest impact — because there are a lot of small companies out there that are doing the right thing,” he said.

It will be important for banks to establish — and soon — a panel or person to oversee the bank’s climate change efforts and set up a process for identifying, assessing, and managing climate-related risks, Cohn said.

“Committees provide two things: They provide oversight and they provide the approval for the provision of resources,” Cohn said.

Executives need to make sure climate risk is something everyone in the organization is on top of, although the chief risk officer probably is going to be “the orchestra leader for these plans,” Cohn said.

Cohn said even though it might seem overwhelming at times, banks should get started now because the pace of change isn’t going to slow down.

“The world right now is moving likely at the slowest rate of change it will for the rest of our lives,” he said.

Gores is a journalist who covered business news for the Milwaukee Journal Sentinel for 20 years.

/by
Digital locks representing cybersecurity
, ,

What Community Banks Need to Know About Ransomware Attacks

By Cassandra Krause 

With a recent uptick in activity, ransomware attacks are a form of cyberattack that has been prevalent in recent news — and for good reason. The effects can be detrimental in terms of monetary loss and reputational damage to the victim. Ransomware is a type of malicious software (a.k.a. malware) that usually encrypts a victim’s files, and the bad actors have upped their game to steal the data first, then threaten to also publish the data to the public. Criminals set their sights on businesses with the goal of extorting money, making community banks prime targets. 

Organized crime networks are becoming increasingly sophisticated. In general, the risk of getting caught for cybercrimes is much lower than for traditional crimes like robbery, and the financial gains are far higher. Ransomware developers write and sell the software to other bad actors for a cut of the profits when they deploy it and collect ransom payment, usually in the form of cryptocurrency, which is hard to trace. Compromised data may also be used to open fraudulent lines of credit. 

“The U.S. is in a ransomware crisis right now,” said Jeff Otteson, vice president of sales at Midwest Bankers Insurance Services (MBIS), a subsidiary of the Wisconsin Bankers Association. He explained that it has created a hard insurance market with carriers tightening up on internal control requirements such as multifactor authentication (MFA) for privileged users (users with the ability to install software or change security settings on critical systems) and encryption of backups. 

In their 2021 Cost of a Data Breach Report, IBM Security and the Ponemon Institute calculate that the average total cost of a data breach is $4.24 million, a 10% increase from 2020–2021. The per-record cost of personally identifiable information averaged $180. 

Prevention 

With the incredibly high stakes in mind, banks are dedicating significant resources to preventing malicious cyberactivity, both in terms of staff and money. Respondents to a 2020 Deloitte survey of financial institutions reported spending about 10.9% of their IT budget on cybersecurity on average, up from 10.1% in 2019. In terms of spending per employee, respondents spent about $2,700 on average per full-time employee (FTE) on cybersecurity in 2020, up from about $2,300 the prior year. 

“There is an industry-standard framework for ransomware prevention and all cybersecurity,” explained FIPCO’s Director InfoSec and Audit Ken Shaurette. FIPCO is also a WBA subsidiary. A good consultant will walk the bank through a comprehensive review of their network security, improving endpoint protection to replace traditional antivirus and endpoint detection solutions, including adding authentication improvements such as MFA, improved password strength, and protecting backups. As more and more of the digital tools that bankers utilize require users to download and install software and updates, depending on signature-based solutions for malware detection is not acceptable — it has become critical to safeguard user, file, network, and device-level activities. 

A bad actor gaining access to a bank’s data may encrypt the data and demand payment in exchange for granting access back to the bank. In this situation, having a data backup is essential.  

“The rule of thumb for data backups is 3-2-1,” said FIPCO Information Security and IT Audit Advisor Rob Foxx. “There should be three copies of all data stored on two different mediums. One of the copies should be stored off site.” 

Ransomware prevention is only one part of a complete cybersecurity system. Experts agree that early detection of unusual activity within a system can help keep a minor incident from quickly escalating into a major incident like a ransomware threat. 

“Ransomware isn’t the first attack,” said Wolf & Company, P.C. Manager of the I.T. Assurance Group Sean Goodwin, who recently presented at WBA’s Secur-I.T. Conference. “Ultimately, it’s on I.T. to put controls in place because an employee will inevitably fall for a phishing email. It becomes a question of whether we can catch that quickly.” 

Social engineering remains the greatest concern; it’s easier for bad actors to trick an employee rather than break through a firewall. Verizon’s 2021 Data Breach Investigations Report found that almost half of the breaches in the financial services industry involved internal actors committing various types of errors. The report stated that the financial sector frequently faces credential and ransomware attacks from external actors, 96% of which are financially motivated (followed by small percentages of motives of espionage, grudge, fun, and ideology). 

Goodwin emphasized that I.T. must be able to act quickly when there’s an indication that someone is accessing something they don’t normally access. “Prevention is ideal. If we can prevent it, that’s best-case scenario, but if not, early detection becomes critical,” he said. This area of solution, known as endpoint detection and response, is rapidly becoming a key point of protection from ransomware and all other malicious events. 

Establishing an incident response program within a bank is an important part of the overall cybersecurity program. 

Preparation 

Creating a culture of cybersecurity awareness throughout the bank is important, so that bank employees are prepared for an incident. Employee training on what to do in the event of an attack should be standard practice. Making security part of the organization’s DNA is a best practice. 

“Every bank needs an incident response plan, and that needs to be approved all the way up through the board. Part of this plan is notification of incidents to the insurance carrier,” said MBIS’s Otteson. 

FIPCO’s Foxx emphasized that the roles and responsibilities in the incident response plan must be clearly defined, and banks should revisit their plan regularly.  

“As the insurance agent, I’m the first call a bank makes when there’s an incident,” said Otteson. “It’s important that banks choose to work with an agency that understands cyber insurance.”  

MBIS insures about 220 banks and has access to a large number of carriers that provide the right coverage for their customers. Otteson recommends reporting all incidents as even a minor incident could result in a claim down the line and having reported that incident when it occurred is key to a successful claim. He says to keep in mind that the owner of the data is liable for it whether the incident occurred in house or with a vendor the bank shared customer data with. 

Mitigation 

It’s important to work with the insurance carrier to ensure that all the bases are covered and that the vendors who participate in the response are approved. Not using the cyber insurance carrier’s approved vendors may result in expenses not being covered under the insurance policy. In the event of a ransomware attack, the insurance agent or bank will immediately notify the insurance carrier. Beazley, a carrier partner of MBIS, maintains a 24/7 helpline, which has become common with other carriers as well. Knowing how to report incidents, when to report, and what to expect is key. 

Holidays and weekends are prime times for ransomware attacks: employees who are in a rush to leave may be more likely to click on a bad link, and with employees away from work, it’s easier for the bad actors to get into the network. Even if a problem is detected, it’s more likely that staff who could help put a stop to the attack may be on vacation or unavailable, buying the criminals more time to take over. 

As soon as a cyber liability claim is made, the insurance carrier’s pre-approved vendors come into play.  

“Nobody has the resources in house to effectively manage ransomware attacks,” said Foxx, who has experience working both within a bank and as an external auditor and consultant. The specialization of skills and the amount of people needed to perform adequate analysis and remediation are so significant that even large banks will not have all the players they need on staff. 

If a bank’s data becomes encrypted and made inaccessible, a vendor such as Tetra Defense would be engaged on forensics. Managed endpoint detection and response vendors such as Cynet can help from detection and prevention to response, including providing digital evidence for a vendor performing forensics. Meanwhile, a vendor such as Coveware would handle ransom negotiations with the criminals. Wolf & Company, P.C.’s Goodwin said that you don’t really know who’s on the other side of the transaction — some criminals may be willing to negotiate and others not. He referred to ransomware as a “niche space in cybersecurity that is now getting more attention.” The criminal organizations involved in these types of attacks in some ways act like a legitimate business in that they rely on their reputation and may even have customer service departments — if they fail, it will hurt their chances of getting more business in the future.  

Typically, in the event of a ransomware attack, a legal firm will handle communications and PR for the bank — putting a statement on the bank’s website, assisting staff with customer phone calls, and determining whom to notify. Getting legal involved early protects all communications and discovery with attorney-client privilege. The requirements for notification vary from state to state, and a bank may have customers in multiple states or even other countries, making the expertise of a legal team invaluable. The language used in communications matters, as the term “breach,” for example, can have different legal implications and potentially create larger issues than terms like “incident,” “situation,” or “event.” Education of staff far in advance using regular testing of the plan is a key factor in mitigating an incident. Inappropriate statements made by employees on social media or even at informal social gatherings can have severe ramifications for the bank. 

Follow Up 

While anyone who experiences a ransomware attack may be eager to breathe a sigh of relief and move on when it is over, it is essential to review the incident and revise the bank’s incidence response plan. Assessing what went well and what needs to be improved are critical steps.  

Goodwin also warns that victims of ransomware are commonly re-targeted. A Cybereason study found that 80% of organizations that previously paid ransom demands confirmed they were exposed to a second attack. He said that once a company has paid a ransom it is known that (1) you were compromised, (2) you do not have proper backups of your files, and (3) you were willing to pay. 

Summary 

Cyberattacks are the biggest risk to a financial institution — even surpassing the risk of past-due loans. The cost of a ransomware attack can be astronomical, with many factors contributing to the price tag, including vendor fees and staff hours to resolve the issue; the cost to inform customers and offer identity or other protections; the loss of destructed data; and the down time of the business. All of this, followed by the loss of customers’ trust (and subsequent loss of their business), has the potential to put a community bank out of business.  

There are safeguards banks can put in place, including a sound incident response plan, improved monitoring with better endpoint detection and response, cyber liability coverage, and employee education. FIPCOMBIS, and a wide range of WBA Associate Members are ready to support banks in keeping their data and that of their customers safe.  

/by
,

Get to Know MBIS: Insurance for Banks, From People Who Know Banks

Bankers understand risk management. That’s what the business of banking is all about, after all. Bankers accept the risk of protecting their customers’ funds and manage the risk of extending those funds out as loans to build the community. Without effective risk management, no bank can be successful.  

That’s why Wisconsin Bankers Association wholly owned subsidiary WBA Employee Benefits Corporation (EBC) partnered with the Minnesota Bankers Association nearly a decade ago to form Midwest Bankers Insurance Services LLC (MBIS). This partnership created an insurance agency dedicated to providing community banks with comprehensive insurance options.  

As an association-owned entity, ultimately the revenue generated by MBIS flows back to support the overall mission of WBA, which is to support you, our member banks. Another advantage of working with MBIS: we serve only you. The banking industry is the only market MBIS serves; its products are specifically tailored to banks’ insurance needs. All of MBIS’ financial products are designed to protect banks, their officers, directors, and employees from disasters of all kinds.  

Because MBIS is owned by your association, you can rest assured we’re working on your behalf and you can contact us with concerns. For example, recently, we have fielded questions from bankers wondering about the impact of the current pandemic on pricing for their D&O liability policy renewals. Some experts have stated they expect increases of nearly 50% as a result of emerging claims related to COVID-19.  

Our response: while the D&O markets are a bit shaken right now, the banking sector has not seen the significant premium increases other areas have. However, some carriers are tightening in various ways, including more disciplined risk selection, increased retentions, lack of three-year prepay options, and narrower terms and conditions. 

MBIS’s lead D&O carrier, AmTrust, continues to offer broad terms, conditions, and less-than-market pricing with three-year prepay options. The MBIS-negotiated D&O forms have been broader than what we have experienced with policy forms negotiated by other agencies.  

For more guidance and insight like this, you need to work with an agency that knows banking as well as it knows insurance. That’s MBIS.  

Find out how MBIS can help your bank manage risk, and join our over 200 bank clients in Wisconsin, Minnesota, and North Dakota in enjoying peace of mind. Contact Jeff Otteson at 608-217-5219 or jeffo@mbisllc.com today. 

Lund is WBA executive vice president – chief of staff and president of EBC and MBIS. 

By, Amber Seitz

/by
Wisconsin Bankers Association logo

questions@wisbank.com

608-441-1200

4721 S Biltmore Ln.
Madison, WI 53718

Get our Newsletter!
Subscribe