Cyber Risk and Community Banks

Posted by Mark Greisiger

A Q&A with Brian Schaeffer of OceanFirst Bank N.A.

It’s a given that cyber attackers will target financial institutions but community banks and credit unions may be more vulnerable, with fewer resources to devote to security and the assumption, among perpetrators, that they’re an easier mark. I spoke to Brian Schaeffer, Chief Information Security Officer of OceanFirst Bank, a $7.4 billion asset Bank based in New Jersey, about the current risk landscape for smaller financial institutions and how they can best prepare to face off against these threats.

It’s crucial to ensure every business line is tied into the incident response and disaster recovery planning.

What are the top three security challenges that concern you?

  1. Easily, the first and most important is people. You can program systems and apply rules to make them reliable within that boundary and you can always update your software. But people must be educated and trained to handle every new threat. It’s a culture you want to instill in your organization. Creating awareness about data assets, for instance, is not easy to do. It requires you to take complex issues and boil them down into digestible chunks for folks who are not tech savvy to implement on a day-to-day basis.
  2. Next is the constantly changing threat environment and how that applies to the banking world. We have to stay aware of the threats, their sources, and respond to intelligence and regulations in near real time, which is always a challenge. Communication is key.
  3. Then there is the risk of stifling the business. There’s always a balance about putting effective controls in place that won’t break the bank, so to speak. You can lock everything down but you still have to be able to make money. The question is: How do we put controls in place that manage risk and control customer and company data at a reasonable expense?

Are third party vendors/service providers/cloud providers a concern?
Yes, because their security concerns become your problems if you are not careful. There is also the issue of fourth party providers, or providers that your third party hires to do work or perform services. This is part of the impetus behind the movement to the SSAE 18, which highlights these relationships to some degree. This focus will require extra due diligence, especially with providers that rely on cloud computing.  For instance, when considering a cloud service provider, knowing where exactly your data is located can be problematic. While there’s an advantage to using clouds for scale and growth, the risks also need to be considered more deeply. At the end of the day, you can’t just defer the risk and liability to the third parties—you need to pay attention to the controls in place, where the data is actually stored, who can access it and when.

Any advice, based on your experience, that you can offer to senior managers and security professionals in smaller financial institutions?
A few things, actually.

  1. Get informed. Get involved with organizations like Infragard and join your core providers user group. This will allow you to learn from your peers in a semi-trusted environment, to ask questions and build relationships. Be part of the conversation.
  2. Hire experts on a retainer so that if there’s an event you already have support that you trust and people who understand your network. The last thing you want to do is have to go out and hire people when you’re in the middle of a crisis situation.
  3. Have an incident response plan in your back pocket and make sure you test it.
  4. Get to know people in your role in your other industries as well as banking peers. I regularly network with people in food and healthcare because they are also regulated in a similar manner and deal with similar problems and concerns. Sometimes these people will have ideas and solutions you never thought of.
  5. Make sure you have solid connections with law enforcement. Reach out to the FBI and state police and ask them if there’s a group you can get involved with or if they have information about threats affecting your region. This is a great source for threat intelligence and again, if you face a problem, you’ll already have a good contact in place.

Can you speak to data breach preparation for financial institutions?
It’s crucial to ensure every business line is tied into the incident response and disaster recovery planning. You don’t want to have to plug new processes into the response at the last minute.

Also, understanding your insurance coverage is very important. Know the requirements of your cyber security policy and make sure you have the right practices baked in to the culture of your organization. Have an established relationship with your insurance contact so you know who and when to call in an emergency. You’d be surprised at how much time can be wasted trying to find the right person when time is of the essence. Understand the rules of engagement—knowing when your lawyer needs to be involved or initiate a conversation is important.

Make sure everyone knows their responsibilities and is empowered with information and tools to help protect the information assets of the institution. Whether you’re a CISO or a teller, it doesn’t matter—you have to know your responsibility. Communicate clearly and in approachable language so that you can be understood—the language barrier between tech people and non-tech people can pose a real problem.

Do you see the value in cyber risk insurance coverage to help a financial institution cede portion of their residual risk? 
Yes, absolutely. But I do think it can be tough to understand these policies and what they offer. They are written by insurance companies in their language and you have to ask a lot of questions to grasp the scope and limitations of coverage. It’s important that your coverage is actually appropriate for the size of your organization and that you don’t have more coverage than you need or any kind of gap.

In summary…

I want to thank Brian for his insights into the cyber risk facing the financial services sector. Brian touched on the topic of data breach readiness and having a plan “in your back pocket.” We can’t stress enough how important it is to have a granular, actionable breach incident response plan that is accessible at all times. (It’s uncanny how these events always unfold outside of 9 to 5 hours.) That plan should also include hotlines to key experts such as your privacy breach lawyer and guidance from your cyber risk insurance carrier.

On a final note, I have personally known Brian for more than ten years and he is truly a dedicated and creative cybersecurity expert, open to sharing his in-depth knowledge and ideas to help solve problems.