Security

American Banker Digital Banking Conference: How Fifth Third Bank Stays Cybersecure

How is the $200 billion bank managing the biggest security challenges of our time?

Bob is the managing editor of BizTech magazine.

What keeps Brian Minick up at night? As the chief technology and security officer for Fifth Third Bank, what doesn’t?

To start with, he says, “you have the nation-state supported threat actors, and you can think of those as the apex predators of the cybersecurity world. And in financial services, we have some of that. But most of what we’re dealing with in this sector is organized crime — people just trying to steal money,” Minick said during a “fireside chat” at the American Banker Digital Banking conference, taking place in Boca Raton, Fla., through June 3. “And from a capabilities standpoint, they’re a little less sophisticated than the nation-state actors, but still very good at what they do.”

Cincinnati-based Fifth Third is a top-20 U.S. bank with almost $212 billion in assets and about 1,100 branches in 11 states. (The institution got its unusual name from the 1909 merger of Fifth National Bank and Third National Bank.)

With both the number of threats and the sophistication of threat actors increasing, Minick described an all-of-the-above security strategy that relies on a combination of off-the-shelf and proprietary security solutions.

“The key is to have as broad of a toolkit to detect attackers as you can get,” Minick said. “From our perspective, we think about buying some of the best industry products available to knock down the noise, and those are going to catch over 95% of the attacks against us. And then we use our own proprietary capabilities, with our own threat intelligence, to catch that other 5%.”

Click the banner below to explore financial solutions inspired by this American Banking conference.

BTQ225_AmericanBanker_Insider_CTA_700x120

BTQ225_AmericanBanker_Insider_CTA_300x250

Managing Third-Party Risk in Financial Services

Minick walked the audience through some of the biggest contemporary challenges to securing a modern financial institution and described how Fifth Third responds to these challenges. One of these is managing the cybersecurity risk introduced by third parties such as vendors, a huge challenge for banks that rely on fintech partners to help them with things like transaction management and data analytics.

“Third-party risk is a big challenge,” Minick said, noting that institutions should apply a multipronged approach to managing it. “It starts with vetting any third parties you use,” he said. “You need to understand exactly what their security protocols are and what they’re doing.”

Financial services companies often have difficulty forging new partnerships, even with firms whose products they like, because they don’t always meet the stringent cybersecurity requirements of regulators. This is especially true among startup technology companies, Minick said, which is disappointing because many startups are developing innovative solutions.

Before he started his role at Fifth Third, Minick founded his own cybersecurity startup. In those days, he said, he’d often steer clear of trying to sell into industries, including finance, that had high barriers to entry.

“In financial services, the bar is much higher than it is in other industries,” he said. From the perspective of startups, “we’re not the 30,000-pound gorilla in the room.”

The key is to have as broad of a toolkit to detect attackers as you can get.”

Brian Minick Chief Technology and Information Security Officer, Fifth Third Bank

Ensuring Good Cloud Security in Financial Services

Minick described three additional challenges:

Cloud security. Protecting financial networks isn’t harder in the cloud, just different. In fact, Minick said, “some things are easier on cloud. For example, encrypting data: On cloud, you just have to click a button, and my job is to make sure the button is clicked.” Data encryption in a bank’s own data center is a lot more complicated. That said, bank security leaders need to recognize that the cloud “is not a silver bullet that solves all problems. It does make some things easier, but it also introduces new problems.”

Managing regulations related to data governance, which change at each nation’s border, is one challenge that encourages financial institutions to keep tight control over where the data physically resides. Fifth Third’s goal is to be “cloud smart,” thinking of cloud as one option among several where they might run workloads.

Talent management. Even at a large institution such as Fifth Third, finding and retaining well-qualified security talent is one challenge. Keeping the security team you have engaged — notwithstanding inevitable alert fatigue — is another. To keep its team sharp, the bank rotates employees through different responsibilities, and it runs programs such as bug bounty competitions and red teaming.

“Anything we can do to find weaknesses within our systems, within our code, we welcome that — at least, anything legal,” Minick said.

Emerging threats. Cyberattackers never sleep and are constantly looking for new tactics to gain access to networks. In addition to attackers’ increasing ability to leverage artificial intelligence, Minick mentioned emerging technology such as smart glasses, which have tiny cameras built into the frames.

“The fraudster comes to a person and says ‘I don’t need you to do anything except wear these glasses as you help customers. You don’t have to steal anything, you don’t have to write anything down. Just wear the glasses,’” Minick said. “How do you protect against that?”

The best defense is a security culture where people are encouraged to come forward and report anything that seems amiss, he said: “People need to not to be afraid to tell you something, even when they did something wrong.”

Keep this page bookmarked for articles from the event, follow us on X (formerly Twitter) @BizTechMagazine and join the event conversation at @digbanking.