Having spent over four decades in the banking business, I have seen an incredible amount of change. Some was good, some was bad. I also have witnessed, during that time, some scary events. Crisis-level issues – the oil embargo of the 1970s, deregulation of interest rates, the savings and loan crisis, regulatory overkill, the technology stock bubble, preparation for Y2K, the recent financial crisis, and yet more regulatory overkill – all come to mind.
However, perhaps the scariest issue is today’s catchphrase: cybersecurity. The reason that cybersecurity is so frightening is that we have little experience dealing with anything remotely resembling it. While the bad guys behind cybercrime have nothing else to do all day but devise ways to breach databases and siphon funds to themselves, government lags behind in deterring them, and many small businesses simply lack the resources to protect themselves.
This risk is infuriating in light of mounting evidence that some foreign governments are actually encouraging – or at least looking the other way – when their citizens participate in cybertheft or espionage, particularly against U.S. companies and governments. How do we combat this level of deceit? How do we adequately protect ourselves? How long before we identify effective defenses? These are only some of the vexing questions to which we have few, if any, answers.
Another level of frustration to the banking industry is that it is not possible to accurately quantify and segregate the risk. While bankers are skilled at assessing risk and appropriately pricing it into their products, the problem is that cybertheft – with its continual escalation – does not fit conveniently into any current risk-assessment models.
There is some encouraging news, though. First, for the banking industry, requirements from the Gramm-Leach-Bliley Act of 1999 have held banks to higher security standards than those of most industries. This certainly does not provide banks immunity from breaches, but it does make their security walls thicker and stronger than other organizations’ walls. Other industries must work to catch up, while banks must continue to bolster their security.
Second, there is worldwide coordination to combat cybercrime. A global organization called the Financial Services Information Sharing and Analysis Center, more commonly known as FS-ISAC, was launched in 1999 “to help members prepare for Y2K and establish an anonymous information sharing capability within the financial services industry.” The Federal Financial Institutions Examination Council recently issued a news release, encouraging financial institution participation with FS-ISAC.
Finally, cybersecurity awareness is growing, and this year the month of October was declared as National Cyber Security Awareness Month. Consumer awareness can take a big “byte” out of cybercrime; for example, according to amplifybankers.com, currently more than two-thirds of cybercrime attacks are made through phishing attempts. Helping consumers to become cyber-savvy is an additional way that financial institutions are working to combat the growing cybercrime problem.
In truth, every day is cybersecurity awareness day in the banking community. Cybercrime seems to be the most pervasive, least predictable, sneakiest, scariest threat I have observed in this industry throughout my 40-plus years in banking. The Indiana Bankers Association remains committed to helping bankers collect the necessary information and resources to address their cybersecurity needs.
– S. Joe DeHaven