| 
iStock illustration
With the recent string of high-profile cyberattacks, businesses have seen the harm ransomware can have on their operations, finances and reputations.
For banks and credit unions, risks associated with cybersecurity attacks matter not just to their own operations but to their business customers as well. A cyberattack could cause a business to lose data, have its bank accounts compromised or even shut down, all having direct effects on banks and credit unions.
“We have a very customer-centric culture,” said Holly Ridgeway, chief security officer at Providence-based Citizens Bank. “My role is to protect the bank and customer data, and when customers have any cyber event, there’s always a possibility that either fraud can occur or their emails could be compromised … that could have possible negative outcomes on the bank.”
In this environment, national banks like Citizens and community banks like Wakefield-based The Savings Bank have taken steps to make cybersecurity awareness part of the resources and services provided to commercial clients.
“If it impacts the customers, it impacts us,” said Maria Melo, a senior vice president and systems manager at The Savings Bank.
Many Firms Don’t Train Staff
A report by RSM US and the U.S. Chamber of Commerce found that 28 percent of middle-market companies it surveyed had a data breach in 2020. But not all businesses provide employees with cybersecurity training.
The report found that 49 percent of respondents from companies with $10 million to $50 million in revenue and 57 percent of those with $50 million to $1 billion in revenue provided training to all employees. Other companies provided training to some employees, while among smaller-sized companies, 15 percent had no training.
To help minimize the risks associated with cyberattacks, Ridgeway said, Citizens has developed resources to educate business customers and provide best practices for both preventing an attack and preparing how to respond if one happens.
“It takes a village,” Ridgeway said. “Citizens feels it’s really important not only on our side but on the part of our customers to help them stay aware of what’s going on.”
The bank provides information, such as organizations businesses can join and government agencies they can follow to receive updates on cybersecurity. Citizens also recently held a webinar that included Ridgeway, the bank’s legal team and a cybersecurity firm to help businesses understand the different types of threats and how to prepare to respond to an attack.
Because every organization is different – from the company’s size and its appetite for risk to whether it uses managed service providers – Ridgeway said having discussions about the various aspects of cybersecurity is important for organizations individually.
The efforts help the bank as well, she said.
“With this awareness, they can let us know they had any type of cyberattack, and then we can make sure on our side that we’re aware of it and that we can take proper measures to help them protect their data on their side, but make sure that their interactions on our side maintain security,” Ridgeway said.
Some banks have started to use their own cybersecurity expertise to coach business customers in how to defend themselves from threats.
Bankers Offer Clients Tips
Businesses could lose data or money, suffer reputational harm or even have to shut down as a result of a cyberattack, said Melo with The Savings Bank.
The Savings Bank gives cybersecurity information to new business customers, Melo said, and like Citizens, runs webinars as well.
One webinar that the bank did for its business customers was recorded and made available online. Karen Benedetti, the bank’s vice president of marketing, said the bank used customer email notifications, local chambers of commerce and other marketing and advertising to put the recording before a wide audience. It has even run on Wakefield’s community access television station.
Melo said bank employees are continually trained on security updates and talk about these updates with business customers, focusing on the reality that these attacks are likely to happen.
“It’s not ‘if it happened to you,’” Melo said. “It’s ‘when it’s going to happen to you,’ and that’s the philosophy throughout the bank: Don’t think it’s not going to happen to you.”
Even as ransomware attacks evolve, the best way to prevent an attack is to train employees at all levels of the organization, up to the CEO and board of directors, said Konrad Martin, CEO of Medfield-based IT consultancy Tech Advisors. Part of that training involves simulated phishing emails, to test whether employees download attachments or reveal secure information.
Martin, who runs these tests for his clients, advises against reprimanding these employees and suggests supplementing training based on test results.
“Don’t be upset that an employee gets caught – that’s what we’re trying to do,” Martin said. “The end goal is to teach them what the cybercriminal is doing to try to trick them into clicking on an attachment, giving up their credentials.”
A Growing Concern for Lenders
As regulated institutions, banks and credit unions already take steps to protect their networks and data. But regulators are concerned about cybersecurity.
Diane McLaughlin
To help further improve the sector’s resistance to attacks, the Massachusetts Division of Banks released a ransomware self-assessment tool in October that it had developed in partnership with the Texas Department of Banking, the U.S. Secret Service and the Bankers Electronic Crimes Taskforce, made up of CEOs from across the U.S.
Designed for community banks and credit unions, the tool uses 16 questions to help financial institutions identify potential security weaknesses and increase ransomware preparedness.
The federal government is also working to address cybersecurity at financial institutions. Shortly after the Colonial Pipeline ransomware attack in May, which disrupted fuel and gasoline supplies in parts of the Eastern United States, President Joe Biden signed an executive order to help government agencies and businesses improve cybersecurity.
The Financial Crimes Enforcement Network (FinCEN) recently announced that it will convene financial industry stakeholders in August for a meeting about ransomware.
