Skip to Main Content

Steps Smaller Banks Can Take To Better Manage Cybersecurity Risks

Defending against cybersecurity threats has become increasingly challenging for small and mid-sized banks as their technology estate grows alongside already intricate—and often fragile—legacy systems. A larger technical footprint creates more potential points of attack, which adversaries are increasingly adept at identifying and exploiting, posing significant risks to both individual institutions and the broader industry.

During the “How Community and Midsize Banks Can Persevere in Today’s Complex Tech Ecosystem” session at this year’s Global Compliance and Operational Risk conference, panelists discussed the resource and management challenges this new level of technical complexity creates for smaller banks—and steps they can take to mitigate the risk. They also explained what’s at stake for banks in an increasingly cyber-hostile world.   

“If a bank had a sizable enough cyber-attack, the reputational risk associated with that could force them into a very treacherous position,” said Sean Singleton, a board member of the $30 billion Washington Federal Bank and managing principal at Oglethorpe Capital.

With fewer resources than their large-bank peers, community and midsize banks sometimes struggle to invest in the latest cybersecurity technology. That said, they have options for effective cybersecurity that won’t break the proverbial bank, panelists shared.

“Even with limited resources, there is more that you can do than you might think,” said Robert Gardner, founding member of New World Technology Partners, a technology ventures incubator in Maryland.

Those options include:

  • Using low-cost, high-payoff tools for mapping IT assets.
  • Practicing incident response before a crisis.
  • Strategically allocating cybersecurity resources by enterprise-level threats.
  • Collaborating with professional associations and federal agencies.

Mapping the IT Estate

Companies need to understand how all the pieces of their IT estate fit together in order to prioritize scarce cybersecurity resources, said Christopher Neumann, chief information security officer for Covetrus, an animal health company. “If you don’t know it exists, you can’t protect it,” he said.

A simple “wiring” diagram that includes third-party solutions can provide transparency for identifying areas that need resources and for finding quicker resolutions to incidents. Low-cost governance, risk, and compliance tools can help with scanning and building solution profiles for an operating map—invaluable for an incident-response playbook. It also is important to engage third-party experts for an outside perspective on where the organization could be vulnerable.

“It's good to think like an attacker when you’re trying to protect the assets,” Neumann said. “I can guarantee you, there are other people who are not at your company looking at your organization, and they’re looking for an entry point.”

Many of the large cyber breaches have been caused by vulnerabilities in vendors, so banks should deploy a careful governance process when onboarding a vendor and then use automated tools to check the supply chain thereafter, he said. Attack surface management software can monitor assets and networks to identify vulnerable areas.

Practicing Incident Response

Success responding to a cyber incident depends on planning and practicing beforehand, said Matt Barrett, chief operating officer at CyberESI, a computer forensics and incident response provider.

Your team’s roles and responsibilities should be spelled out in an incident response plan, which also includes guidance for defining an incident, methods for getting incident alerts, what steps to take for each kind of incident, and whom to involve—including legal and/or law enforcement—as part of the resolution plan.

Tabletop exercises are an effective way to simulate incident scenarios and role play responses. that mix red team members emulating attackers and blue teams playing the defender roles can reveal where threats might first appear and to whom, and which response procedures are best suited for the moment, Barrett said.

Banks should retain an outside law firm to assist with incident response prior to a crisis. They also need a business continuity plan for getting back to normal after a cyber incident, including backups to restore operations after a ransomware attack.

Allocating at an Enterprise Level

With their limited resources, smaller organizations need to take an enterprise-wide view of their cybersecurity risk, said Nahla Ivy, enterprise risk management officer for the National Institute of Standards and Technology (NIST).

Conducting a business impact analysis including key stakeholders can identify business-critical functions and key financial drivers—revenue, earnings, capital investment, et al.—that require additional resources and planning for cybersecurity. Allocating resources commensurate with enterprise exposure is much easier and less expensive than “chasing down every vulnerability that’s under the

NIST provides guidance on how to analyze system vulnerability and integrate cybersecurity into the enterprise using tools including its cybersecurity framework, risk management framework, and recent guidance on conducting business impact analysis.

Collaborating Outside

Those banks that can’t afford to hire teams of outside cyber professionals or attract staff from a limited pool of experienced and available talent should seek to collaborate with networks of chief information security officers from other banks, said Singleton. And as banks look to fill board vacancies, they should consider candidates with experience managing cybersecurity risk.

Federal law enforcement is another “force multiplier” for collaboration, especially considering its mandate to protect the banking system, he said. Banks can build relationships with the FBI, the U.S. Treasury Department’s Financial Crimes Enforcement Network, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, along with state agencies and even Interpol, which deals with international cyber groups engaging in ransomware and other attacks.

Banks should proactively discuss their operations with the agencies to collect helpful tips and pointers, Singleton said: “The best time to do so is when you don't have a vulnerability.”