Increasingly, customers are asking financial institutions for new and improved levels of digital connectivity. With that comes the need to protect the data associated with all types of banking transactions. Last month was National Cybersecurity Awareness Month, an initiative to provide consumers with the information they need to stay safe online, so in the wake of this, it is a good time for banks to consider whether all possible steps are being taken to protect their customers in our digitally connected world. Below are four considerations for banking leaders concerned about cybersecurity.
1. Evaluation of Risk
The overall risk management framework of any institution, including banks, should include cybersecurity considerations. This involves the implementation of employee training on expectations around digital behaviors and organizational processes. Employees are the best first line of defense. For example, social engineering through phishing e-mails is one of the main causes of cyber breaches to an organization’s systems. By continuously training staff to “think before you click,” institutions can prevent inadvertent downloading of malware. Evaluation of risk also includes understanding potential exposure around the cybersecurity policies and systems of all vendors and third-party partners.
2. The Role of the ISO
An Information Security Officer (ISO) is mandated by federal regulations and plays a critical role in today’s digitally interconnected world. He or she is the bank officer responsible for administering and ensuring the effectiveness of the information security program for the bank.
While the ISO reports to the board on all cybersecurity, the degree to which this person is engaged across all banking functions can make a significant difference preventing digital fraud. Cyber security leaders need to move beyond the offices of the IT department and engage in regular and structured interactions with the CEO and other executive leaders.
It’s also incumbent upon the ISO to deliver strategies and recommendations in clear, understandable language that makes the risks and benefits understood by decision makers. ISOs who communicate with technology-specific terms and jargon are not serving the security interests of the bank well.
3. Cyber Incident Response Plan
Any organization – from a small business to a hospital, a university or a government agency – can be a victim of cybercrime. For that reason, it is important to have a cross-function, interdepartmental plan in place to respond to a cybersecurity incident. The plan should define clear roles and responsibilities so that internal and external interactions are coordinated. Beyond the ISO, IT leaders and risk management teams, roles for the CEO, board members, communications staff, HR leadership and front line employees should also be articulated.
The plan should include considerations for when and how law enforcement is notified and customers are informed. Template language for explaining the bank’s cybersecurity programs and processes should be created for customization as needed, depending on the type of incident.
An effective cyber incident response plan can go a long way to offsetting a potential loss of trust and ensuring continued confidence in the bank by employees, customers, investors and the public in the wake of a cybersecurity incident.
4. Customer Responsibility
Cybersecurity is most effective when practiced diligently by both the customer and the financial institution. In many cases, the opportunity to stop fraud begins with the customer. For this reason, every financial institution should be communicating regularly and proactively with its customers through a variety of channels about use of online tools. While technology and processes can do much to mitigate risk, they are only as effective as the attentiveness of the people involved.