Where Should Smaller Banks Focus Cybersecurity Efforts?

Artificial intelligence and advanced analytics offer intriguing potential to handle many day-to-day security tasks, such as software updates and web log analysis, otherwise performed by IT pros who are becoming increasingly difficult to find. But the rush toward AI to fill in for IT staff may be overstated and not necessary, says David Stender, chief security officer at M&T Bank, in a recent article in The Wall Street Journal.

Stender warns that, in their unending search for a security “silver bullet” to solve all of their problems, companies may be overspending on cybersecurity.

It may make more sense to instead focus on ensuring basic cybersecurity hygiene, Stender says, including regular patching of devices and applications, consistent data backup and educating rank-and-file staff on better password management and how to spot phishing links in fraudulent emails.

“Spending money on cybersecurity awareness makes sense,” says Steven D’Alfonso, a research director at IDC Financial Insights who focuses on compliance, fraud and risk analytics strategies. “Most of the banks I work with do cybersecurity awareness training, but it’s possible that many of the smaller banks don’t do it, and they really should spend time on phishing tests and teaching people how to spot bad links.”

READ MORE: Get started with security automation and orchestration!

Where to Start When It Comes to Banking AI

Lacking reliable, historical metrics used by more mature disciplines such as lending and insurance, CISOs tend to ask for larger budgets than many banks may require. While larger banks typically have plenty of budget available to pay for such services and additional tools, smaller banks frequently do not.

IDC’s D’Alfonso agrees with Stender’s point that CISOs across the board should be more realistic when defining cybersecurity budgets. That doesn’t mean AI should be dismissed outright as a helpful tool. Still, before small and midsized banks can fully benefit from AI, they need to get everyone in management on the same page and map out an affordable plan. He cited AI’s potential in risk management as an attractive first step.

“The idea is to go slow, starting with something like the onboarding process,” D’Alfonso says. “Many of the onboarding processes are paper-intensive and time-consuming,” he says, adding that “if companies could automate some of that, there would be fewer errors, and new customers could get rated so the bank would have a better idea if a prospective customer were a risk for money laundering.”

D’Alfonso says once they worked through onboarding, banks could use automated analytics more effectively to identify malicious insiders. He says the new analytics tools could help banks look for suspicious patterns across an entire population of data, which would also improve their ability to detect insider threats.

“The other thing small banks could do to alleviate the security worker shortage is to look for a cloud app or managed service that could handle many of the routine cyber hygiene functions,” D’Alfonso says. “Hiring security talent can be very expensive, and a cloud service could offer the bank many of the new advanced security features.”

Is AI a Doubled-Edged Sword for Banks?

The U.S. Office of the Comptroller of the Currency early in 2018 highlighted cybersecurity, banks’ relationships with financial technology companies and anti-money-laundering efforts as key concerns for the federal banking system in its Semiannual Risk Perspective, according to Reuters. The report points out that operational risk remained a main focus for banks, and that the ever-increasing complexity of cybersecurity threats would require banks to assume multilayered security approaches.

“Use of third-party service providers in transforming banks’ technology and operating platforms is another area of operational risks that warrant heightened supervisory focus,” according to the Reuters article. “Through new products and services offered by financial technology companies, banks have been increasing their use of third-party service providers that support their key operations.”

“The OCC noted the increased use of a limited number of third-party service providers for some critical operations, such as merchant card processing, denial-of-service mitigation, trust accounting systems securities settlements and custody. It warned this may create concentrated points of failure resulting in systemic risk to the financial services sector,” according to Reuters.

The advice is clear: Banks large and small may contract with cloud-based tools to realize built-in AI benefits more quickly, but oversight of those third-party providers never goes away, and may become an even higher priority task for CISO teams.