Posts

Triangle Background

The second in a series exploring the effects of the COVID-19 pandemic on banks in Wisconsin.

By Hannah Flanders

As COVID restrictions continue to subside and the days of isolation have since passed (we hope), bankers and customers alike return in droves to their community banks. However, the challenges
presented by the pandemic will forever leave a lasting impact on the way banks operate.

Like most Americans, banks were forced into the confusion and chaos of the COVID-19 lockdown with little to no time to prepare. With disaster plans in place, many banks quickly turned remote, began servicing loans through drive-ups or in the parking lot, and relied on technology to stay connected to their team and customers.

The pandemic’s ongoing impact has allowed banks around the country to reassess the needs of both their customers and staff in connection to the bank and its physical or online branches.

For well over a century, brick and mortar banks have been the cornerstones of communities throughout Wisconsin. Be it for the safety and security of their money, or the personal connection associated with meeting in person, consumers across the state highly value their local, physical bank branches. However, many banks are rethinking their approach to the ‘traditional’ bank.

“[The ways in which] banks interact with clients and where employees get their work done has changed,” says Laurie Richards, vice president and partner at LERDAHL, a workplace interiors company and WBA Associate Member. “Bank branches are remodeling their locations to accommodate a wider variety of expectations that have emerged over the last two years as competition increases for clients and employees.”

A key component of embracing post-pandemic life for Americans around the country has been implementing the lessons learned — and this is certainly no different for Wisconsin bankers. As new branches — including Capitol Bank on Madison’s east side and Farmers and Merchants State Bank in Lake Mills — pop up around the state, new challenges arise as to how banks reimagine themselves in their communities.

As the pandemic proved, accessible banking is the most important factor to both banks and consumers. “Horicon Bank has a renewed commitment to innovate the way we help our customers. The needs of our customers are changing — and in 2020 they changed rapidly,” says Grace Bruins, marketing officer at Horicon Bank. “We’ve had to take a look at the things that make us unique — personal service, community commitment — and find a way to offer that in a digital environment as well as a physical one.”

Throughout Wisconsin, community banks envision new ways of exceeding the expectations of their customers. “Our plan is to continue to invest in our people and technology to help the bank grow and be successful,” says Prevail Bank President Nathan Quinnell. Many banks throughout the state have made upgrades such as e-signatures, ITMs, and online chat functionality for customers — Prevail Bank also hopes to upgrade their online mortgage process, add online account opening functionality, and sustain remote employees.

While many banks offered remote options during lockdown, many Wisconsin bankers have returned with full force to their branches and remote employment is considered on a case-by-case basis. Finding ways to leverage technology and space within the office is not only critical to staying relevant to customers in a world with increasing interest in digital banking, but to finding and retaining talent in a competitive job market.

“As we are in the relationship business, in addition to valuing our customers, we value the presence and safety of our employees,” says Capitol Bank President and CEO Ken Thompson. With insight from having successfully navigated the challenges created by the pandemic, Thompson understands the value this new space adds for both his customers and employees.

The combination of private office locations balanced with the increasing need for open, conference-style spaces planned for the new Capitol Bank location highlights a shift from individual to collaborative work and supports the idea that the type of task, privacy, and level of collaboration required is flexible throughout the day. With the assistance of technology, bankers are now able to maintain the office environment and culture as well as offer support to branches across towns, cities, or the state.

“As well as providing legendary customer service, embracing future technology is an important aspect of nurturing our current and future customer relations,” says William Campbell, Farmers and Merchants State Bank president and CEO.

“As we transition into our new Lake Mills branch, offering secluded spaces where customers can meet with Lake Mills staff as well as virtually meet with Waterloo and Marshall team members, will not only allow for an easier transition but offer our customers a variety of services,” adds William Hogan, Farmers and Merchants State Bank CFO.

In reimagining accessibility, bankers have considered new ways customers are able to interact with bankers — via the drive-up, ITMs, and through their digital branches — and explored elevating
existing offerings.

“Since the pandemic started, [Horicon Bank] believes there are more customers looking for digital banking services,” says Horicon’s CFO Robert Traylor. Whether it be mobile banking or the desire to digitalize services already offered at the bank — there is no doubt to bankers that the use of technology in some capacity offers customers a greater personalized banking experience and, in the case of online banking, allows their money and other banking services to become accessible to customers no matter where they are.

Accessibility, be it of the physical branch or the online services, continues to be amplified by the days of COVID-19. In understanding the need for both brick and mortar and virtual banking practices as well as approaches to combine the two, Wisconsin bankers hit their stride and continue their growth looking beyond the pandemic.

Community banking is, and always has been, concerned with the relationship built between the banker and the customer. Providing safe and productive spaces — both in-person and online — that offer the relevant tools and foster growth for both the employees and clients, is ultimately beneficial to the success of any community bank.

 

Ken Thompson Headshot By Kenneth D. Thompson, WBA Board chair, president and CEO of Capitol Bank, Madison

After the challenges of the last several years, I believe I speak for everyone when I say I am continually amazed by the optimism that Wisconsin bankers hold not only for the growth of our industry, but for our economy and communities as well. Although the COVID-19 pandemic continues to wreak havoc, I expect 2022 to be a year of immense growth and transition within our industry.

As bankers, we are fortunate to have a unique perspective on our economy and communities. As many member CEOs highlighted in WBA’s recent Economic Conditions survey, despite recent obstacles, a majority of Wisconsin bankers rate the current health of the economy as ‘good’ and predict this to stay the same well into 2022.

Our work in providing flexibility to our staff and customers, as well as exceeding expectations of managing liquidity and technological growth in 2021, has absolutely aided in our efforts to provide stability in times of uncertainty. Our industry will continue to be challenged into 2022 as we face inflation; ongoing COVID protocols surrounding vaccinations, boosters, and possible mandates; as well as talent retention.

However, as mentioned repeatedly by Minneapolis Federal Reserve Bank President and CEO Neel Kashkari during WBA’s annual Midwest Economic Forecast Forum, Wisconsin’s economy and our region as a whole has been on par with the recovery of the nation. Efforts by our community banks have not gone unnoticed and have played, and will continue to play, a substantial role in rebounding our economy.

Of course, innovation will remain the name of the game as banks navigate uncertainty. The next eleven months will certainly show the flexibility, creativity, and expertise of banks in Wisconsin and set our industry apart.

Thank You, Ken Shaurette, for 13 Years at FIPCO!

By Hannah Flanders

On December 31, 2021 Ken Shaurette retired from FIPCO’s Information Security and Audit Services after 13 years with the company. Shaurette launched his IT career in 1976 after completing his associates degree in data processing. Over the past two decades, he has also garnered a collection of training courses through venders and trade schools as well as certifications by the National Security Agency (NSA) in Information Assessment Methodology. In 2008, Shaurette was hired at FIPCO to build the Information Security and Audit Service from the ground up as its director.

Shaurette shared reflections on how the industry has changed over his decades of experience. When his career began, data was stored centrally in large computer data centers. Slowly, the industry began to give more processing power and ability to manipulate data to users and as the data became increasingly decentralized, security professionals had to establish improved policies and information security programs that addressed data no longer being stored in a big computer center, but out at the desktops anywhere in the company.

As data collection and storage abilities improved, not only did it become more difficult for all the information to be properly secured, it became increasingly important. Regulations have been created today in order to meet the expectation that customer data is equally protected no matter the size of the bank. “Information security [must continue to be] part of our individual and our companies DNA” says Shaurette. “Without security controls, your business can’t grow quickly.”

Shaurette’s perspective has allowed him to help banks throughout Wisconsin protect themselves against serious attacks that could in turn affect growth, reliability, and profits. Shaurette notes that “when it comes to information security 80% is the same regardless of [the] industry when securing the data, 15% is unique to the [banking] industry, and probably 5% is the social atmosphere of [each bank].”

“Over the course of the years, his expertise and service have been greatly appreciated and well-respected by our customers and members,” says Pam Kelly, president of FIPCO. “His passion and unfailing dedication to information security and our members has helped hundreds of bankers keep critical data secure, avoid attackers, and meet the needs of their own communities. Thank you, Ken, for 13 years!”

In his retirement, Shaurette looks forward to spending time with his grandchildren, volunteering, and — he jokes — not writing audit reports. However, he leaves FIPCO customers with one last message in appreciation over that last 13 years, “I may be boating off into the sunset, but the sunrise of a new generation is transitioning behind me, and you will be left in very good hands with Rob Foxx. I’ll be waiting for you to show up for an information security peer group meeting or networking round table on the pontoon boat someday soon. Those that know me, the refreshments are always ready.”

Ken Thompson HeadshotBy Kenneth D. Thompson, WBA Board chair, president and CEO of Capitol Bank, Madison

January marks the halfway point of my time as WBA chair and as we transition into a new year, there are undoubtedly new things to look forward to as an industry and as an association.

Our successes in 2021, many of which related to the ongoing uncertainty of the COVID-19 pandemic, taught us all valuable lessons I hope can be brought with us into the new year. From low levels of past-due loans throughout our industry to excess liquidity, it’s safe to say that stepping outside of our routine has resulted in spectacular results.

Looking onward to 2022, I encourage bankers to approach challenges with the same curiosity we have for the past two years. As our industry continues to grow, how will each of us lead the way in making Wisconsin banks efficient, diverse, and robust?

WBA has long known that banks are cornerstones in our communities and as such, should be leaders in embracing societal developments. Technology, for both our customers and employees, has been and should continue to be an aspect that sets our industry apart. In embracing these digital channels, banks have a unique ability to meet the expectations of customers while also supporting them with cybersecurity and best technological practices.

Our ability to advance diversity, equity, and inclusion (DEI) efforts, as well as offer flexibility to employees, has the potential to set our industry apart. This is especially important to consider as we navigate through a competitive hiring and retention landscape.

As we all envision a brighter 2022, it serves us to remember that innovative solutions, such as PPP and advances in online banking, have provided our communities with much-needed assistance in the past. We must not be held back by what we are familiar with. This pandemic has taught us all that some of the most effective answers may not be the ones that have been tried before.

It is essential for banks to approach these situations with caution instead of resistance and as always, WBA remains a valuable resource in education, advocacy, and community involvement for each of us as we look forward to what’s to come in 2022.

By Tom Still, WTC President

The list of economic uncertainties for 2022 is long and complex, with COVID-19 variants, supply chain woes, energy disruptions, climate-change anxieties, and political frictions around the world producing jittery markets.

It’s time to look for trends in technology to calm frazzled nerves on Wall Street as well as Wisconsin’s Main Streets.

Analysts at International Data Corp., the global market intelligence firm, predict the technology industry is on track to exceed $5.3 trillion in 2022 — thus returning to the 5% to 6% annual growth rate typical before the pandemic. The United States is the world’s largest tech market, representing about a third of the projected total at $1.8 trillion.

Tech overcame the 2020 speed bump precisely because COVID-19 triggered so much change. The workplaces of today are no longer easily defined. Changes in business travel forced innovation. Cybersecurity threats led to more investment across industry lines, from financial services to “Mom and Pop” retailers. Phrases such as “quantum computing,” “virtual reality,” and “artificial intelligence” were once the exclusive lingo of computer scientists; today, they’re part of the business plans for many companies.

It all points to bigger tech budgets, greater investment and more innovation pushing through the economic super-structure.

Technology will continue to disrupt many verticals. Health care is being transformed through telemedicine and wearables, not to mention breakthroughs in diagnostics and therapeutics. The jury is out on how effective remote learning has been for students of all ages, but online education will continue to have a role in the classroom. Sales through eCommerce in the United States continue to soar (hence, some of today’s supply chain troubles) and trends such as cryptocurrency are altering the financial world.

Tech can help slow climate change effects through conservation controls in homes, offices, cities, and power plants, even if “crypto-mining” has become an energy vampire. Likewise, as technology displaces many people in the workforce, it will create more new jobs than it destroys. The trick is ensuring that people are trained to do the work and opportunities don’t bypass women and minorities.

There are some threats to U.S. tech sectors, but also opportunities for Wisconsin to grow as a tech-savvy state.

In Washington, D.C., Congress should establish data privacy rules that are national in scope versus a state-by-state approach that could hamper companies engaged in eCommerce, finance, or insurance. Congress should avoid unnecessary taxes on venture capital managers and not pass an antitrust bill that would shut down “exit” options for young companies.

Congressional consensus around bipartisan plans to invest federal dollars in key research areas could help Wisconsin, especially if the state’s research universities and private partners can compete for one or more R&D “hubs” envisioned through the National Science Foundation.

In the Wisconsin Legislature, the refining of the state’s investor tax-credit law will lead to more angel and venture capital dollars flowing into young companies. When the Qualified New Business Venture law took effect in 2005, angel and venture capital investments could be measured in the tens of millions of dollars. The 2021 total will easily exceed $500 million, in part because those credits are pulling four times their weight in private investment. Pending bills would improve the law.

The new year may be tumultuous in many ways, but growth in tech markets could help smooth choppy waters.

The Wisconsin Technology Council is the independent, non-partisan science and technology advisor to the governor and the Legislature.

FIPCO partners with interface.ai

In this current world, customer connection comes at a premium. The pandemic changed many things and shifted customer behavior. Now customers who may have previously stopped by a branch to ask a question are seeking service through phone more and more. How can financial institutions manage the ever-increasing number of calls while still providing high-quality service?

FIPCO is proud to announce a new partnership with interface.ai. interface.ai’s artificial intelligence (AI)-Powered Phone Banking solves many of the problems faced by traditional call center, elevating the entire call center experience. The AI-Powered Phone Banking automates more than 60% of the financial institution’s call center calls using the industry’s first neural voice-powered AI assistant.

“We are thrilled to be able to partner with interface.ai to offer this world-class product to our customers,” said Pam Kelly, president of FIPCO. “We understand the need for effective service for everyone who calls an institution, while making sure call center staff are not overwhelmed and customers aren’t stuck waiting for help in a queue.”

The AI-Powered Phone Banking reduces call wait times, while increasing productivity and engagement. FIPCO and interface.ai will be hosting informational webinars on November 9 and 16 to demonstrate to capabilities of this solution.

To learn more about this solution and the upcoming demos, contact FIPCO Sales at fipcosales@fipco.com or 1-800-722-3498, option 5.

Upcoming Informational Webinars:

Date: November 9, 2021
Time: 12:30 PM – 1:30 PM CT

Date: November 16, 2021
Time: 11:30 AM – 12:30 PM CT

Cybersecurity graphic

By Cassandra Krause 

With a recent uptick in activity, ransomware attacks are a form of cyberattack that has been prevalent in recent news — and for good reason. The effects can be detrimental in terms of monetary loss and reputational damage to the victim. Ransomware is a type of malicious software (a.k.a. malware) that usually encrypts a victim’s files, and the bad actors have upped their game to steal the data first, then threaten to also publish the data to the public. Criminals set their sights on businesses with the goal of extorting money, making community banks prime targets. 

Organized crime networks are becoming increasingly sophisticated. In general, the risk of getting caught for cybercrimes is much lower than for traditional crimes like robbery, and the financial gains are far higher. Ransomware developers write and sell the software to other bad actors for a cut of the profits when they deploy it and collect ransom payment, usually in the form of cryptocurrency, which is hard to trace. Compromised data may also be used to open fraudulent lines of credit. 

“The U.S. is in a ransomware crisis right now,” said Jeff Otteson, vice president of sales at Midwest Bankers Insurance Services (MBIS), a subsidiary of the Wisconsin Bankers Association. He explained that it has created a hard insurance market with carriers tightening up on internal control requirements such as multifactor authentication (MFA) for privileged users (users with the ability to install software or change security settings on critical systems) and encryption of backups. 

In their 2021 Cost of a Data Breach Report, IBM Security and the Ponemon Institute calculate that the average total cost of a data breach is $4.24 million, a 10% increase from 2020–2021. The per-record cost of personally identifiable information averaged $180. 

Prevention 

With the incredibly high stakes in mind, banks are dedicating significant resources to preventing malicious cyberactivity, both in terms of staff and money. Respondents to a 2020 Deloitte survey of financial institutions reported spending about 10.9% of their IT budget on cybersecurity on average, up from 10.1% in 2019. In terms of spending per employee, respondents spent about $2,700 on average per full-time employee (FTE) on cybersecurity in 2020, up from about $2,300 the prior year. 

“There is an industry-standard framework for ransomware prevention and all cybersecurity,” explained FIPCO’s Director InfoSec and Audit Ken Shaurette. FIPCO is also a WBA subsidiary. A good consultant will walk the bank through a comprehensive review of their network security, improving endpoint protection to replace traditional antivirus and endpoint detection solutions, including adding authentication improvements such as MFA, improved password strength, and protecting backups. As more and more of the digital tools that bankers utilize require users to download and install software and updates, depending on signature-based solutions for malware detection is not acceptable — it has become critical to safeguard user, file, network, and device-level activities. 

A bad actor gaining access to a bank’s data may encrypt the data and demand payment in exchange for granting access back to the bank. In this situation, having a data backup is essential.  

“The rule of thumb for data backups is 3-2-1,” said FIPCO Information Security and IT Audit Advisor Rob Foxx. “There should be three copies of all data stored on two different mediums. One of the copies should be stored off site.” 

Ransomware prevention is only one part of a complete cybersecurity system. Experts agree that early detection of unusual activity within a system can help keep a minor incident from quickly escalating into a major incident like a ransomware threat. 

“Ransomware isn’t the first attack,” said Wolf & Company, P.C. Manager of the I.T. Assurance Group Sean Goodwin, who recently presented at WBA’s Secur-I.T. Conference. “Ultimately, it’s on I.T. to put controls in place because an employee will inevitably fall for a phishing email. It becomes a question of whether we can catch that quickly.” 

Social engineering remains the greatest concern; it’s easier for bad actors to trick an employee rather than break through a firewall. Verizon’s 2021 Data Breach Investigations Report found that almost half of the breaches in the financial services industry involved internal actors committing various types of errors. The report stated that the financial sector frequently faces credential and ransomware attacks from external actors, 96% of which are financially motivated (followed by small percentages of motives of espionage, grudge, fun, and ideology). 

Goodwin emphasized that I.T. must be able to act quickly when there’s an indication that someone is accessing something they don’t normally access. “Prevention is ideal. If we can prevent it, that’s best-case scenario, but if not, early detection becomes critical,” he said. This area of solution, known as endpoint detection and response, is rapidly becoming a key point of protection from ransomware and all other malicious events. 

Establishing an incident response program within a bank is an important part of the overall cybersecurity program. 

Preparation 

Creating a culture of cybersecurity awareness throughout the bank is important, so that bank employees are prepared for an incident. Employee training on what to do in the event of an attack should be standard practice. Making security part of the organization’s DNA is a best practice. 

“Every bank needs an incident response plan, and that needs to be approved all the way up through the board. Part of this plan is notification of incidents to the insurance carrier,” said MBIS’s Otteson. 

FIPCO’s Foxx emphasized that the roles and responsibilities in the incident response plan must be clearly defined, and banks should revisit their plan regularly.  

“As the insurance agent, I’m the first call a bank makes when there’s an incident,” said Otteson. “It’s important that banks choose to work with an agency that understands cyber insurance.”  

MBIS insures about 220 banks and has access to a large number of carriers that provide the right coverage for their customers. Otteson recommends reporting all incidents as even a minor incident could result in a claim down the line and having reported that incident when it occurred is key to a successful claim. He says to keep in mind that the owner of the data is liable for it whether the incident occurred in house or with a vendor the bank shared customer data with. 

Mitigation 

It’s important to work with the insurance carrier to ensure that all the bases are covered and that the vendors who participate in the response are approved. Not using the cyber insurance carrier’s approved vendors may result in expenses not being covered under the insurance policy. In the event of a ransomware attack, the insurance agent or bank will immediately notify the insurance carrier. Beazley, a carrier partner of MBIS, maintains a 24/7 helpline, which has become common with other carriers as well. Knowing how to report incidents, when to report, and what to expect is key. 

Holidays and weekends are prime times for ransomware attacks: employees who are in a rush to leave may be more likely to click on a bad link, and with employees away from work, it’s easier for the bad actors to get into the network. Even if a problem is detected, it’s more likely that staff who could help put a stop to the attack may be on vacation or unavailable, buying the criminals more time to take over. 

As soon as a cyber liability claim is made, the insurance carrier’s pre-approved vendors come into play.  

“Nobody has the resources in house to effectively manage ransomware attacks,” said Foxx, who has experience working both within a bank and as an external auditor and consultant. The specialization of skills and the amount of people needed to perform adequate analysis and remediation are so significant that even large banks will not have all the players they need on staff. 

If a bank’s data becomes encrypted and made inaccessible, a vendor such as Tetra Defense would be engaged on forensics. Managed endpoint detection and response vendors such as Cynet can help from detection and prevention to response, including providing digital evidence for a vendor performing forensics. Meanwhile, a vendor such as Coveware would handle ransom negotiations with the criminals. Wolf & Company, P.C.’s Goodwin said that you don’t really know who’s on the other side of the transaction — some criminals may be willing to negotiate and others not. He referred to ransomware as a “niche space in cybersecurity that is now getting more attention.” The criminal organizations involved in these types of attacks in some ways act like a legitimate business in that they rely on their reputation and may even have customer service departments — if they fail, it will hurt their chances of getting more business in the future.  

Typically, in the event of a ransomware attack, a legal firm will handle communications and PR for the bank — putting a statement on the bank’s website, assisting staff with customer phone calls, and determining whom to notify. Getting legal involved early protects all communications and discovery with attorney-client privilege. The requirements for notification vary from state to state, and a bank may have customers in multiple states or even other countries, making the expertise of a legal team invaluable. The language used in communications matters, as the term “breach,” for example, can have different legal implications and potentially create larger issues than terms like “incident,” “situation,” or “event.” Education of staff far in advance using regular testing of the plan is a key factor in mitigating an incident. Inappropriate statements made by employees on social media or even at informal social gatherings can have severe ramifications for the bank. 

Follow Up 

While anyone who experiences a ransomware attack may be eager to breathe a sigh of relief and move on when it is over, it is essential to review the incident and revise the bank’s incidence response plan. Assessing what went well and what needs to be improved are critical steps.  

Goodwin also warns that victims of ransomware are commonly re-targeted. A Cybereason study found that 80% of organizations that previously paid ransom demands confirmed they were exposed to a second attack. He said that once a company has paid a ransom it is known that (1) you were compromised, (2) you do not have proper backups of your files, and (3) you were willing to pay. 

Summary 

Cyberattacks are the biggest risk to a financial institution — even surpassing the risk of past-due loans. The cost of a ransomware attack can be astronomical, with many factors contributing to the price tag, including vendor fees and staff hours to resolve the issue; the cost to inform customers and offer identity or other protections; the loss of destructed data; and the down time of the business. All of this, followed by the loss of customers’ trust (and subsequent loss of their business), has the potential to put a community bank out of business.  

There are safeguards banks can put in place, including a sound incident response plan, improved monitoring with better endpoint detection and response, cyber liability coverage, and employee education. FIPCOMBIS, and a wide range of WBA Associate Members are ready to support banks in keeping their data and that of their customers safe.  

Five critical steps to maintaining a secure network.

Keeping your network secure in the current climate of internet assault is no small job.

Think back – how little has changed. In 2001, server-based worms were estimated to have cost private industry almost $3 billion. Code Red alone infected 359,000 servers in under 14 hours, and within 24 hours of Nimda, 50 percent of the infected hosts went offline. Fast forward to today and the exponential increase in breaches, how much is really that different?

These attacks reinforced the need for every organization to develop an information security action plan (ISAP). Doing this first involves evaluating, assessing, and auditing the existing security environment to identify major and minor problems (your inventory). Without knowing and understanding the current security posture, it is impossible to identify the most cost-effective solutions to deploy.

Veteran and well-trained security professionals realize there is no ‘silver bullet’ in information security. Following and adjusting to an industry security framework will keep you secure today and into the future. Using proper diligence to understand an organization’s security needs goes a long way in improving protection.

The following are critical first steps for building an ISAP to create a better defense in an increasingly dangerous cyberworld.

Creating Security Policy

First, create a clearly defined security policy that is strictly enforced. Understand that security goes beyond desktop PCs and ensure that the use of all laptops, copiers, fax machines, modems, and even printed information is included in the policy. Supply the policy to everyone in the organization, educate all employees about it, and enforce it consistently.

The policy is the roadmap to good security, and every employee should review it annually, be provided with opportunities to ask questions, and fully understand the policy. They should acknowledge their understanding of the policy in writing. The policy must become a standard part of the company culture and be enforced at the highest level. Not consistently enforcing policy can be worse than having no policy at all, because it could be used against the company (in litigation) to show that policy is not taken seriously in all cases.

Identifying Risk, Deploying Security

Second, identify an acceptable level of risk and deploy the appropriate level of security. It is no longer adequate for management to proclaim ignorance about potential vulnerabilities in the environment. Due diligence requires management to exercise sound judgment in protecting the environment consistent with the information being processed (i.e., the more sensitive the information, the more safeguards need to put in place).

After assessments have been performed, there are essentially three measures that can be taken. They are to reduce the risk (perform remediation), transfer the risk (take out insurance), or accept the risk (identify cost justification).

If overall risk reaches an unacceptable level, appropriate remediation steps must be taken to get the exposures reduced in severity. If that cannot be done, documentation must be created to identify justification for accepting the risk, or possibly insurance can be purchased to transfer the losses associated with the risk to another organization.

Implementing Verification

Third, access to internal hosts must be controlled and monitored. Are employees only given access to what they need to perform their specific job? Are logs reviewed daily for inconsistencies and abnormalities?

Since many security breaches can be attributed to ‘insiders,’ or exploit by a bad actor of an insider, trust no one. “Zero Trust”; it is important to live by an access philosophy of ‘least privilege’. Verify everyone and everything. Only give users the access they need to do their job. Not only must the data be protected and accountability of who is accessing it be maintained to ensure privacy, but simply tracking problems and events that occur in an environment are easier if it is possible to determine who has access to specific information. Even though incidents of access from outside a company get all the publicity, the most critical protection remains inside. Insider abuse of email or unmonitored internet access can cost in several ways beyond the lost employee time, bandwidth, and potential for viruses or worms.

Supplement the authentication and authorization system with audit trails and intrusion detection systems and use an incident response plan to follow up on suspicious activities and anomalies. Logs can be very large and contain enormous amounts of extraneous information. It is important to install tools that help sift through the abnormalities or make it possible to identify what a normal log looks like and flag unusual activity. Regular review of system logs can mitigate risk. This can include the implementation of modern extended endpoint detection and response solutions.

Testing Upgrades and Patches

Fourth, vendor upgrades and software/hardware patches should be tested adequately before migrating to production. Anti-virus tools should be deployed and automatically updated with new signature files.

Changes are constantly occurring in the environment. New software can introduce new vulnerabilities and it is well-known that some software companies do not create secure applications or operating systems. Be sure to have clear documentation to migrate all changes to production and a contingency plan should problems occur.

Malicious code continues to be a major problem for organizations. It is no longer adequate to simply install an antivirus tool and assume your problems are alleviated. It is not adequate to assume the user will behave properly to protect their desktop and company data. Today’s generation of protection must not be dependent on signatures and needs to consider other layers of information: users, files, hosts, and the network. Throw in deception technology and you have a robust solution.

Handling Any Defaults

Fifth, be sure default accounts, passwords, and settings have been appropriately handled in operating systems, routers, databases, and applications.

Keep in mind that almost all operating systems, including third-party applications, come with sample files, many of which are extremely dangerous. Almost any operating system and many application system installations require a powerful ‘administrative’ or privileged account to complete installation. This account is shipped with a default password, which often is not changed by the network, system, or application administrator. It should be changed immediately at initial installation even on test systems. If the account needs to remain in existence, it should be tightly locked down, audited, and, if possible, have its default name changed. In addition, it should not be used on a routine basis for administration. Individual administrative accounts should be assigned to authorized users with proper access requirements granted, training provided, and responsibilities understood.

In summary, there are numerous measures that can be taken to ensure a company’s infrastructure can protect its information assets. This all creates the requirement for a thorough information security action plan. A certified, qualified, well-trained chief information security officer can usually lead a corporation along a path to protected information assets and a secure business environment.

To learn more, call or email Ken Shaurette, FIPCO's Director – Information Security and Audit, at 800-722-3498 ext. 251 or itservices@fipco.com today.

 

By, Ally Bates

With technology taking an increasingly important role in banking, directors of community banks need to be up to speed on the responsibilities this trend brings. 

From mobile banking to online loan applications to digital account opening, technology is crucial to financial institutions, said Patrick Neuman, a partner with the law firm Boardman Clark. He cited this as a reason directors should be tuned into their bank’s technology and cybersecurity. 

“Digital platforms create enormous opportunity, but they also require strategic planning and robust risk management practices, and that really starts at the board level,” said Neuman, who focuses on banking for Boardman Clark. “The board really does need to be informed. There are a number of different risks they need to be thinking about and a number of different kinds of strategies they need to be thinking about as their bank is expanding its digital platform to stay competitive in the marketplace.” 

Neuman and Boardman Clark colleague Cat Wiese plan to cover those issues in their presentation during the WBA Directors Summit, a virtual live event from 9 a.m. to 12 p.m. CDT on May 19. Wiese said she plans to talk about compliance concerns that come along with technology. 

In the Summit, directors of community banks will hear from experts on topics such as choosing technology vendors and getting ready for the future instant payment system. They’ll also be urged to take a close look at their assets and prepare for the rebooting economy. 

Patrick Dix, vice president of strategic alliances for the financial services and technology firm SHAZAM Inc., will talk with Summit attendees about the current and coming payments landscape. Part of the focus will be on the Federal Reserve’s desire for safe, ubiquitous, and faster payments capabilities in the U.S. and what’s happening on that front. 

“We’re going to touch on what’s coming next, which is faster payments,” Dix said. “This is a topic that’s been talked about for the last two or three years in real general ways, but I think things are getting real now.” 

It’s time for community banks to start thinking about and discussing how to help create a system in which they’ll participate for many years to come, he said. Dix said it amounts to “a reimagining of the payments system as we know it.” 

“We want to pose some questions so they can start thinking about that,” he said. 

How might that issue affect bank directors? 

“In many community banks, the directors are involved in decisions like, ‘Do we change our core?’  And that’s a big decision, certainly, but it also will have impact on these kinds of future technology,” Dix said. “How will your core play with other fintech companies? Will they be interoperable with other players in the industry?” 

Dix added: “I always say to people, ‘If your biggest tech partner can’t hook up to other systems, how good of a tech partner are they? If they won’t hook up to other tech partners, how good of a partner are they?’ Those are real important questions for community banks.” 

While technology will be in the limelight at the Summit, one presenter, Marc Gall, vice president and asset/liability strategist at BOK Financial, plans to look at some other topics of key concern to bankers:  interest rates, liquidity, and earnings. 

“Right now, most banks are swamped with liquidity and not really sure what to do with it,” Gall said. 

On the other hand, there is concern as the economy improves, inflation is going to take off, and rates are going to rise. 

“Balancing that weight of a very low earning asset on your book — being cash — with the potential risk that’s out there for rising rates leads banks to be a little bit more perplexed right now as to what to do,” Gall said. 

He said banks need to assess what’s on their balance sheet and, as pandemic relief measures like Paycheck Protection Program loans go away, get back to the nuts and bolts of banking. 

Gall added that some think the Fed is going to raise interest rates faster than what it has indicated and inflation will soar. He’s not convinced this is the case and said there may be risk to banks sitting on piles of cash. Some banks feel like if they do that, it’s conservative and they’re not taking a risk, he said. 

“But we would say doing nothing is a risk in and of itself,” Gall said. 

The Directors Summit is recommended for bank management teams, beginning or experienced inside and outside directors, bank CEOs, executive officers, and bank general counsel. 

Paul Gores is a journalist who covered business news for the Milwaukee Journal Sentinel for 20 years. Have a story idea? Contact him at paul.gores57@gmail.com.

By, Alex Paniagua

Events

Formal project management techniques improve an organization’s chances of completing projects successfully. We’ll review research-based techniques that you can use when managing and when sponsoring projects that will lead to successful outcomes. This course is designed to provide tools and techniques for successfully managing a medium to large scale project and how to monitor the “health” of your project throughout the process.

In session 1, we’ll review the elements of a project that will expose you to many of the common problems that can occur in medium to large scale projects. We’ll then use this experience to highlight current research on how to avoid common project pitfalls.

Topics explored include:

  • Managing the classic constraints of project management: schedule constraints, budget constraints, and scope of deliverables and the quality of the deliverables.
  • Managing and scheduling staffing resources throughout the lifecycle of the project.
  • Techniques that can help teams identify the most important business requirements of any future system.
  • Managing projects that include new technologies.

In session 2 we’ll explore common causes and symptoms of project failure and introduce a framework that can be used to measure the “health” of your projects. The framework can be used as a tool to help with project selection or as an instrument to detect that  the project is in trouble.

Topics covered include:

  • Signs of trouble for large, intermediate, and small projects.
  • Risks associated with projects that can lead to troubled projects.
  • Steps you can take to start to get your troubled projects back on track.

Target Audience: Any employee involved in project management in the bank.

Presenter
Richard Hamm, Advantage Consulting & Training

Registration Options
Live presentation $545

Recording available through August 12, 2022

It’s time to shift our thinking when it comes to security awareness training. Yearly education and testing just doesn’t cut it in today’s cyber world. Security awareness is a topic we should have in front of our people on a much more consistent basis.

However, as we all know, creating a culture in any environment involves more than words or flipping a switch — it involves thoughtful and deliberate action across the organization, as well as accountability for that culture. Culture also has to start at the TOP of the organization, or it will be meaningless downstream. Overall, the goal of a Culture of Cybersecurity is to make security the first think we think about, as opposed to the last.

Join us for this session will include:

  • Cyber Threat’s New normal
  • People, Process, and Technology — which is the weakest link?
  • Compliance-based security awareness training
  • Proactive Security Awareness Training
  • Building an Effective Security Awareness Training Program
    • Directors/Executive Management
    • Employees
    • Customers
  • Topical training ideas
  • Why accountability matters most

Target Audience: Incident response team, information security officer, IT manager, risk officer, internal auditor, and IT focused staff.

Presenter
SBS CyberSecurity, LLC

Registration Options
Live presentation $330

Recording available through August 13, 2022

During this basic course, we will review all the treasury management products and services that are available in the market. You will learn about the new products, technology, and authentication methods now available and decide which ones your business account holders may need based on their industry. You will learn strategies to cross-sell the right treasury management products your business account holders need from the start.

The bankers of today must be “lenders” as well as “deposit gatherers.” Community banks are searching for ways to increase core deposits and non-interest fee income: treasury management is the answer. In this course, you will gain a deeper understanding of how the sales, treasury management, IT, marketing, and deposit operations team members must collaborate to successfully sell and implement the products and services at your institution. We will cover the ideal organizational design for treasury management and how to incentivize the sales team.

You will walk away from this course with a deeper knowledge of treasury management, learn to conduct risk assessments on new products, and learn strategies to increase core deposits. You’ll also bring ideas back to your institution on how to market treasury management products and services to your business account holders and ways your team can work better together knowing how critical each area is to the success of the implementation and sale of these products and services.

Topics Covered:

  • Maximizing the account analysis statement as a tool to cross-sell and identify new fee income opportunities
  • Quick overview of all treasury management products and identifying enhancements focusing on each product’s benefits to businesses — the value
  • Identifying new products available that your business customers or members are asking for that you may be missing
  • How to determine which products you need to offer to your business customers or members based on industry
  • How treasury management integrates with technology, operations, marketing and sales teams
  • Ideas on how to market and brand your treasury management products
  • The ideal organizational design for treasury management and how to incentivize the sales teams
  • Process to implement treasury management products
  • How to choose the right digital payment strategy for your business clients or members (including Blockchain)

Target Audience:  Business bankers/sales team members who want to learn about treasury management products and their benefits to business clients, treasury management sales officers/specialists, deposit operations personnel, IT, and marketing staff. This course is also designed for presidents/CEOs who are looking for the ideal organizational structure for treasury management and looking for additional non-interest fee income as well as new core deposits.

Presenter
Marcia Malzahn, Malzahn Strategic

Registration Option
Live presentation $330

Recording available through June 10, 2022

Explore the fundamental building blocks of a repeatable framework for cybersecurity and information security issues. Your information security program can be more than a document created for compliance. We will help develop a program that provides your institution with clear direction and guidance that meets and exceeds regulatory expectations while addressing real-world risks.

Some bank programs implemented today are a collection of documents pulled together over the years, that exists primarily to satisfy regulatory requirements. The Information Security Program should be a coordinated set of policies that work together to implement a unified set of controls across the organization. A daily playbook used by employees to fight cybercrime and not a collection of documents to satisfy auditors and examiners.

Discussion Topics

  • Regulatory Requirements
  • Purpose of repeatable cybersecurity frameworks
  • Program Basics for a solid frameworkITris
  • Detailed explanation of framework components
  • Next steps for a comprehensive, valuable, repeatable framework
  • Making decisions with the framework
  • See new issues and technologies automatically handled by a solid framework

Target Audience
Incident response team, information security officer, IT manager, risk officer, internal auditor, and IT focused staff members

Presenter
SBS CyberSecurity, LLC

Registration Option
Live presentation $330

Recording available through April 28, 2022

New technologies have changed the way banks interact and do business with their customers. In this everchanging and evolving market, what will be next? Doing nothing is not a strategy. This presentation will cover the latest technologies in banking and what your board and executive management need to do to prepare for the future.

Learning Objectives

  • Identify new products and services.
  • Discuss outsourcing of technology management and cloud computing.
  • Define the bank’s role in selection and due diligence.

Target Audience
Marketing officers, IT officers, anyone responsible for the digital banking experience in the bank

Presenter
Mark Scholl, Wipfli LLP

Registration Option
Live presentation $275

Recording available through April 27, 2022

Outsourced Third Party (Vendor) Risk Management is a top priority with the regulators. Therefore, ensuring your Program is not only going to be effective but also meet with their expectations needs to be a priority for financial institutions. When you outsource, you are placing your confidential customer information in someone else’s hands along with the availability and security of that information, but you still retain the responsibility for ensuring the integrity, confidentiality, availability and security of the information making this Program a crucial part of your overall Information and Cyber Security Program.

Demonstrating the importance of this Program, the OCC and the FRB both issued updated guidance relating to third party relationships in October and December of 2013, respectively while the FDIC reissued its Technology Outsourcing Informational Tools in April of 2014. Then on February 6, 2015, the FFIEC released an update to the Business Continuity Planning Handbook adding Appendix J: Strengthening the Resilience of Outsourced Technology Services. On November 14, 2019, a revised Business Continuity Planning handbook was released that addresses: Third Party Management, Third Party Capacity, Testing with Third-Party Technology Service Providers, and Cyber Resilience. The FFIEC Cybersecurity Assessment Tool (CAT) also includes declarative statements relating to Outsourced Third Party Risk Management practices. Susan Orr has assisted numerous institutions with developing their Outsourced Third Party Risk Management Program and will share her insights into developing an effective program in this webinar.

What You Will Learn
FFIEC agencies expectations for your Program
The latest guidance:
November 2019 BCP Handbook
Appendix D of the FFIEC Outsourced Technology Services Handbook
FFIEC Supervision of Technology Service Providers, September 2012
FDIC April 2014 Tools to Manage Technology Providers Informational Brochures
OCC October 2013 Third Party Relationships
FRB December 2013 Guidance on Managing Outsourcing Risk
Classification and Risk Rating criteria
Required Program elements and essentials
Responsibilities
Needs Assessment
Due Diligence/Selection
Contracting
Risk Assessing
Oversight

Who Should Attend?
Senior Management, Information Security Officers, Compliance Officers, Risk Managers, IT Managers, Operations Managers.

Presenter
Susan Orr is a leading financial services expert with vast regulatory, risk management, and security best practice knowledge and expertise.

As an auditor and consultant, Susan is dedicated to assisting financial institutions in implementing appropriate policies and controls to protect confidential information and comply with regulatory mandates and best practices. Her expertise as an auditor and former examiner provides her the knowledge and expertise to conduct comprehensive IT general control and data security reviews and assist banks in developing and updating policies and procedures and risk assessments, performing third party risk management, and facilitating testing and training. Susan is a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC).

Registration Options
Live Plus Five (days) – $265
OnDemand Recording – $295
CD-ROM – $345
Live Plus Six (months) – $365
Premier Package – $395

Risk assessments are an essential element of overall risk management along with providing the basis for many of your policies, plans, and programs like your information security program, audit program, and business continuity plan. The basis for the risk assessment mandated by GLBA in 2000 was initially thought to be oriented to IT, thus the requirement for an IT Risk Assessment after all it is the IT examiners that are evaluating it. However, today the focus has shifted to an enterprise-wide information security risk assessment that encompasses the entire organization where IT is a key component. Even today, the content of this risk assessment continues to cause some confusion and the fact that the regulators do not prescribe to any specific format, only content, many organizations are finding their assessment being criticized during their exams and audits; and then add the requirement for a cyber security risk assessment to the mix! How can anyone keep it all straight?

Performing risk assessments is a prominent requirement with just about everything you do today. A properly structured enterprise-wide information security risk assessment will not only help you focus your resources and budget dollars where they are needed, but provide the basis for your information security program and IT audit program. The right approach will also get you off to a running start on your all those other risk assessments you need to complete. This presentation will provide an approach for developing an enterprise-wide information security risk assessment and a framework that can be adapted to the other numerous risk assessments now required.

What You Will Learn
What is meant by enterprise-wide?
Where do I start?
Can I outsource the risk assessment?
Is there an approved format or template?
Understanding the difference between IT and enterprise-wide risk assessments
Simplifying the approach
Developing a matrix

Who Should Attend?
Anyone responsible for developing a risk assessment or leading a risk assessment team.

Presenter
Susan Orr is a leading financial services expert with vast regulatory, risk management, and security best practice knowledge and expertise.

As an auditor and consultant, Susan is dedicated to assisting financial institutions in implementing appropriate policies and controls to protect confidential information and comply with regulatory mandates and best practices. Her expertise as an auditor and former examiner provides her the knowledge and expertise to conduct comprehensive IT general control and data security reviews and assist banks in developing and updating policies and procedures and risk assessments, performing third party risk management, and facilitating testing and training. Susan is a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC).

You may contact Susan by phone or email: 630.248.7788 or susan@susanorrconsulting.com

Registration Options

Live Plus Five (days) – $265
OnDemand Recording – $295
CD-ROM – $345
Live Plus Six (months) – $365
Premier Package – $395

You already know how remote deposit capture works, but do you understand the associated risks? This webinar will explain the legal side of RDC, including the potential liability to your institution. It also will analyze the legal agreements you should be using and the disclosures you should be making regarding remote deposit capture. RDC technology is easy compared to the legal aspects involved. Join this webinar to get a handle on the risks, liability, and best practices.

Attendance certificate provided to self-report CE credits.

AFTER THIS WEBINAR YOU’LL BE ABLE TO:
Distinguish the parties involved in the remote deposit capture (RDC) process and the responsibilities of each
Identify the risks and potential liability to your institution from remote deposit and mobile devices
Implement prudent policies and procedures to reduce the risk to your institution
Understand the agreements/disclosures that are legally required, and the additional agreements/disclosures that will provide added protection for your institution
Explain the differences between remote deposit capture, remotely created checks, and imaged cash letters

WHO SHOULD ATTEND?
This informative session is designed for deposit operations personnel, consumer and commercial account managers, compliance officers, security officers, technology personnel, attorneys, and other staff involved with RDC.

TAKE-AWAY TOOLKIT
FFIEC’s guidance Risk Management of Remote Deposit Capture
Employee training log
Interactive quiz

ABOUT THE PRESENTER – Elizabeth Fast, JD & CPA, Spencer Fane LLP

Elizabeth Fast is a partner with Spencer Fane Britt & Browne LLP where she specializes in the representation of financial institutions. Elizabeth is the head of the firm’s training division. She received her law degree from the University of Kansas and her undergraduate degree from Pittsburg State University. In addition, she has a Master of Business Administration degree and she is a Certified Public Accountant. Before joining Spencer Fane, she was General Counsel, Senior Vice President, and Corporate Secretary of a $9 billion bank with more than 130 branches, where she managed all legal, regulatory, and compliance functions.

REGISTRATION OPTIONS
Live Webinar Access – $245
On-Demand Access + Digital Download – $245
Both Live & On-Demand Access + Digital Download – $320

October 3-7, 2022
Fluno Center for Executive Education
Madison, Wisconsin
Enrollment Deadline: September 6

KEY INFORMATION SECURITY STRATEGIES

Online bank fraud has been described as epidemic, with numbers that are staggering — it’s estimated that U.S. banks lose $1.5 billion to phishing attacks annually. Consider also that mobile devices are now ubiquitous and hackers are getting ever-more sophisticated in their ability to gain access to sensitive data and it’s clear that there is a need for proactive IT security offense and defense to stop attacks including phishing, malware, coordinated denial of service attacks, hacktivist breaches and more. The threats to the banking sector are multiple and significant — both financially and reputationally. Today’s bank customer is rightfully concerned about online banking fraud and studies show that the majority of customers would change banks if they became a victim of fraud at their current institution. Security breaches not only cost significant dollars, but they also erode consumer trust. Being proactive is key.

Don’t miss this innovative school that’s designed by, and especially for, information security officers in the financial industry. This state-of-the-art program will broaden your understanding of the business of banking including key drivers of bank profitability, along with an in depth, interactive and hands-on study of the latest IT security techniques and strategies.

The school uses a mix of lecture, small group discussions and interactive computer labs. The hands-on, computer-based simulation labs will allow you to explore penetration and vulnerability testing, security attacks, early detection of data breaches and more. You’ll spend class time diving deep with IT security experts and knowledgeable colleagues who will become a network to call upon for years to come. Apply today to take advantage of this opportunity to learn from experts in the banking industry about today’s key issues in information assurance.

WHO SHOULD ATTEND

Whether you’re a veteran Information Security Officer or new to the IT security field, this powerful program will give you the skills and knowledge to effectively secure your bank’s and your customers’ most sensitive information.

Click More Information to view the full school details on gsb.org.

In this comprehensive webinar, Excel expert David Ringstrom, CPA, teaches you how many Excel functions and features can be used to create adaptable and easy-to-maintain budget spreadsheets. David explains how to separate inputs from calculations, build out a separate calculations spreadsheet, create both an operating and a cash flow budget, transform filtering tasks, preserve key formulas, and more.

David demonstrates every technique at least twice: first, on a PowerPoint slide with numbered steps, and second, in the subscription-based Microsoft 365 (formerly Office 365) version of Excel. David draws your attention to any differences in the older versions of Excel (2019, 2016, 2013, and earlier) during the presentation as well as in his detailed handouts. David also provides an Excel workbook that includes most of the examples he uses during the webcast.

Microsoft 365 is a subscription-based product that provides new feature updates as often as monthly. Conversely, the perpetual licensed versions of Excel have feature sets that don’t change. Perpetual licensed versions have year numbers, such as Excel 2019, Excel 2016, and so on.

Covered Topics

Accessing free downloadable budget templates that can be customized as needed.
Avoiding the complexity of nested IF statements with Excel’s CHOOSE function.
Building operating budgets quickly based on detailed supporting schedules that provide an audit trail.
Crafting formulas to compute gross margins, projected sales, commissions, and related amounts.
Employing the SUMIF function to sum values related to multiple instances of criteria you specify.
Improving the integrity of budget spreadsheets by isolating all inputs to a single worksheet.
Improving the integrity of spreadsheets by using SUMIF to look up values in a more flexible fashion than VLOOKUP.
Improving the integrity of spreadsheets with Excel’s VLOOKUP function.
Learning how the Table feature empowers you to improve the integrity of Excel spreadsheets.
Mastering the IFERROR function to display alternate values in lieu of a # sign error.
Navigating directly to inputs by using Excel’s Name Box, and then returning to the previous location in the workbook via the Go To commmand.
Preserving key formulas using hide and protect features.

Who Should Attend
Practitioners seeking to build budget spreadsheets that can be updated effortlessly and contain easy-to-follow supporting calculations.

Presenter
David H. Ringstrom, CPA, is an author and nationally recognized instructor who teaches scores of webinars each year. His Excel courses are based on over 25 years of consulting and teaching experience. David’s mantra is “Either you work Excel, or it works you,” so he focuses on what he sees users don’t, but should, know about Microsoft Excel. His goal is to empower you to use Excel more effectively. To learn more about David, you can view his LinkedIn profile and follow him on Facebook or Twitter (@excelwriter).

Registration Options

“Live” Web connection – $265
6-month “OnDemand” website link only – $295
CD-ROM and e-materials only – $345
Live plus OnDemand website link – $365
Premier Package: Live, OnDemand link, and CD-ROM plus – $395