The credit crisis and subsequent recession got me thinking about the potential for a similar "IT crisis" in community banking. Let's head over to our favorite web encyclopedia, Wikipedia, for a quick summary of the causes of the credit crisis:
Now, I don't intend to argue the relative merits of each of these points. Rather, the point I'm making is that disasters don't normally happen because of a single isolated event.
When things go wrong, it's usually a result of multiple forces coming together in away that wasn't anticipated - or was ignored. The credit crisis didn't happen because banks wrote a couple of bad loans. Multiple factors are to blame. To really understand and anticipate our risks, we have to consider all of the forces at play.
What does that mean for IT? Are there forces that could contribute to an IT crisis in community banking?
Rather than regurgitate stats from the various security incident reporting services, I decided to take a different approach. I picked up the phone and spoke to a number of our clients. I shared my thought process and we talked about the forces influencing IT in community banking. Here are the results.
Force#1: The sophistication and number of attacks is increasing
The general consensus is that there will continue to be an increase in the number and sophistication of attacks. I don't think this is a surprise.
Think about the Zeus Trojan that was designed specifically to attack banks. The "Man-in-the-Browser" attack, it's called. It takes advantage of vulnerabilities on your customer's computers. It waits for the customer to connect to a bank site and then silently makes transactions in the background. Bypassing security controls like usernames, passwords, and multi-factor authentication.
Earlier this year security researchers tracked down a Zeus botnet that raided more than $1 million from 3,000-compromised UK online banking accounts. It was going on for nearly a month before the Bank knew it was happening. The money flowed out of the Bank to accounts in Eastern Europe where money mules emptied them.
This is very organized and very sophisticated stuff. See my post here for a more detailed discussion.
Force#2: There will be an increase in the use of new technologies and services
How about cloud computing? That's where you store your data and access applications out on the Internet. Google is proving that the cloud is here tostay. Mobile devices and tablet computers are essentially windows to the cloud, and the apps that run on those devices are increasingly using the cloud as the primary data store. What does it mean for Banking? Personally, I believe it's just a matter of time.
Let's be a little less theoretical and think about the realities of today. I'm a consumer-banking customer. I went into my Bank branch exactly one time - on the day I opened my account - and I probably didn't even need to do that.
Did you see that Chase commercial where the newlyweds are lying on their bed on the night of their wedding, about to do the first thing that all newlyweds do... Count the money. They take a picture of one of the checks with a cell phone and its deposited into their account. Pretty neat.
Now, you can make the argument that community banking is different because it's a relationship business. Relationships will always have value - but these people are also going to expect a certain level of technical sophistication. The general consensus is that the use of technology is going to increase.
Force#3: Outsourcing is not going away
Let's think about some of the things that are commonly outsourced in a community bank
Outsourcing will likely correlate to new services and technologies. In other words, as things get more technical - we'll be more reliant on our vendors to provide the expertise we don't have in-house.
IT makes outsourcing particularly challenging. Let's face it, you can have a Loan Review performed and there may be 10 people in the Bank who have a complete understanding of the report. Not true for an External Vulnerability Assessment. In a small community Bank there may not be a single person who understands the issues in that report. Our risks are elevated. How do we effectively manage processes that we don't fully understand?
Force#4: The potential impact from successful attacks is increasing
Quantifying the impact of an exploit is difficult for a lot of banks. How do we quantify the impact of an attack when we don't fully understand the risks? When community banks talk about the impact of a data breach, they're really talking about the impact from the loss of customer data - GLBA. The reality is there are other considerations that muddy the water and make it very difficult quantify impacts.
Consider a typical community bank website with no customer data on the server. Online banking is outsourced and accessible through a link that redirects to the core processor's site. Pretty typical. Now the Bank's site is attacked and defaced. When users go to the site they no longer see the Bank's site, they see some political message, or pornography, or just a message that threatens users that their information has been stolen. Now, we know that no customer data was lost - the site was simply defaced. All the important stuff is on the core processors system.
But consider this...
Quantify the impact from the publicity of that attack.
Count on being in the newspaper. Will it impact your ability to get new business? Are you a publically traded company? What will the impact be on your stock price?
Quantify the impact to your reputation with yourexisting customers.
Is it enough that they'll move down the street when that CD matures? You can bet the regulators will notice. How much will it cost you to prove remediation to them? You'll need an assessment, penetration tests, possibly a code review, and maybe even a management study. They may make you appoint an Information Security Officer if you don't already have one. Risk is more than customer data.
Force#5: The audit process has remained largely the same
In community banks, the process of validating the adequacy of IT security has traditionally been completed through Audit. Audit is a control that validates the adequacy of other controls. But, even given the trends we just talked about- at many community banks, the audit process has remained largely the same. A typical IT audit focuses on controls as they relate to policy and procedures. The general consensus is that the complexity of modern IT infrastructures requires more. Check out my post here for a more detailed discussion on the more.
What does it all mean?
Instead of thinking about the forces on an individual basis, consider them all together. This is the reality of IT in community banking:
If there is ever an IT crisis in banking it's going to be the result of multiple converging forces. As management, you need to think about IT risk holistically. Likewise, the Audit function has to adapt a holistic approach that's capable of identifying risk as it applies to the big picture.
Peter Viglucci, CISA, CRISC
Director of Information Technology
Peter Viglucci, Director of Information Technology, has over 17 years of experience in all aspects of Financial Industry IT