Banks Face Growing Cybercrime Threat

John Suek and Michael Perez

Cybercrime is on the rise in the Eleventh District, with reported incidents jumping 15 percent to 31,185 in 2018 and losses increasing 69 percent to about $220 million over the 12-month period, according to FBI data.^[1]

Moreover, the U.S. Federal Bureau of Investigations (FBI) estimates that losses are significantly underreported; only 15 percent of victims file a complaint.

Big companies often receive the most attention after cyber incidents—specifically data breaches involving large volumes of records—but small businesses are also at significant risk.

For example, according to the Verizon 2019 Data Breach Investigation Report, 43 percent of data breaches reported nationally in 2018 occurred at small businesses.

Moreover, those figures don’t take into account other types of cyber incidents at small businesses, such as instances of ransomware or business email compromise.

Cyberattacks are comparatively more burdensome for smaller firms, as they usually do not have the monetary, legal and technical resources of bigger firms.

Banks are particularly attractive cyber targets because they hold money and data. The data include customers’ personally identifiable information, including Social Security numbers, addresses and dates of birth.

Most bank systems operate and data reside on networks that require effective security measures. Cybercriminals make every effort to compromise those security measures to steal money or customer data that they can sell on black markets.

The composition of banks in the Eleventh District influences regulatory oversight by the Federal Reserve Bank of Dallas. Smaller banks predominate in the Eleventh District.

There were 484 community banks and seven regional banks as of June 30, 2019. Community banks have less than $10 billion in assets and regional banks have between $10 billion and $100 billion in assets.

Eleventh District banks’ regulatory filings and public disclosures suggest increasing awareness of cybercrime.

The Financial Crime Enforcement Network (FinCEN) requires financial institutions to file suspicious activity reports for incidents that may signal money laundering and other criminal activity, including cybercrime.

Regulators can more easily track cybercrime within financial institutions after FinCEN added a “cyber” category to suspicious activity report forms in June 2018.

District institutions filed 561 such reports in the first nine months of 2019, compared with 126 for all of 2018. Of note, the majority of reports involved cyberattacks on financial institution customers and not direct attacks on the institutions themselves.^[2]

‘Cybersecurity’ Mentions

References to cybersecurity also have become more prevalent in recent annual reports and investor disclosures of publicly held banks in the Eleventh District (Chart 1).

While there is no specific regulatory requirement to include these references, such discussion in these filings touches upon potential risks associated with the use of third-party vendors, the potential for cyber-related events, business disruptions and associated losses, and regulatory expectations for managing risk.

Incidents bank examiners have encountered as well as industry experience point to three measures banks can take to address cybersecurity threats: strengthening management of vendor risks, awareness of insider threats and protecting information technology (IT) assets.

The scope and frequency of vendor reviews are key to an effective vendor risk management program. Employee training on proper handling of privileged credentials or information provides a defense against insider threats and IT risk. Careful asset management helps secure systems, ensures patch management and aids the migration of platforms over IT assets’ lifespans.

Downloadable chart

Notes
Data from 2016 Internet Crime Report, 2017 Internet Crime Report and 2018 Internet Crime Report, Federal Bureau of Investigation Internet Crime Complaint Center, www.ic3.gov.
Data obtained from Financial Crimes Enforcement Network Suspicious Activity Report Statistics (SARS Stats), www.fincen.gov/reports/sar-stats. The FinCEN definition of depository institutions includes credit unions.

John Suek is a senior IT examiner in the Supervisory Risk and Surveillance division at the Federal Reserve Bank of Dallas. Michael Perez Perez is a financial industry analyst in the Supervisory Risk and Surveillance division at the Federal Reserve Bank of Dallas.

Source: Federal Reserve Bank of Dallas