Pub 18 2023 2024 Issue 4

President’s Message Stay Informed, Stay Involved and Share Your Collective Voice! NOVEMBER/DECEMBER 2023

Would you like to transform the management of your information security program from a daunting chore to a process that fuels better decisions? SBS can help! ��� empowers �nancial institutions to ma�e informed security decisions and trust the safety of their data based on a valuable information security program. To learn more, visit www.sbscyber.com today! Robb Nielsen robb.nielsen@sbscyber.com 605-251-7375 Would you like to transform the management of your information security program from a daunting chore to a process that fuels better decisions? SBS can help! ��� empowers �nancial institutions to ma�e informed security decisions and trust the safety of their data based on a valuable information security program. To learn more, visit www.sbscyber.com today! Robb Nielsen robb.nielsen@sbscyber.com 605-251-7375 Would you like to transform the management of your information security program from a daunting chore to a process that fuels better decisions? SBS can help! ��� empowers �nancial institutions to ma�e informed security decisions and trust the safety of their data based on a valuable information security program. To learn more, visit www.sbscyber.com today! Robb Nielsen robb.nielsen@sbscyber.com 605-251-7375

233 South 13th Street, Suite 700 Lincoln, NE 68508 Phone: (402) 474-1555 • Fax: (402) 474-2946 www.nebankers.org RICHARD BAIER President and CEO richard.baier@nebankers.org KARA HEIDEMAN Director of Communications and Marketing kara.heideman@nebankers.org NBA BOARD OF DIRECTORS NBA EDITORIAL STAFF LYDELL WOODBURY NBA Chair (402) 359-2281 First Nebraska Bank Valley BRADLEY KOEHN NBA Chair-Elect (402) 420-0560 Midwest Bank Norfolk/Lincoln KATHRYN BARKER (402) 333-9100 Core Bank Omaha NICHOLAS BAXTER (402) 341-0500 First National Bank of Omaha Omaha CORY BERGT (402) 875-4732 Wells Fargo Bank, N.A. Lincoln JILL DAVIS (402) 434-1690 U.S. Bank Lincoln CURTIS HEAPY (308) 367-4155 Western Nebraska Bank Curtis KRISTA HEISS (308) 534-2100 NebraskaLand Bank North Platte ZACHARY HOLOCH (402) 363-7411 Cornerstone Bank York JEFF KANGER (402) 858-1253 First State Bank Nebraska Lincoln ZAC KARPF (308) 632-7004 Platte Valley Bank Scottsbluff JOHN KOTOUC (402) 399-5088 American National Bank Omaha MARK LINVILLE (402) 337-0323 First State Bank Randolph KRISTEN MARSHALL-MASER (308) 384-5681 Five Points Bank Grand Island BRANDON MASON (402) 918-2332 BMO Omaha JEREMY McHUGH (402) 867-2141 Corn Growers State Bank Murdock AARON OTTEN (402) 371-0722 Elkhorn Valley Bank & Trust Norfolk KEVIN POSTIER (402) 723-4441 Henderson State Bank Henderson JAY PRESTIPINO (402) 392-2616 First Interstate Bank Omaha LUKE RICKERTSEN (308) 537-7181 Flatwater Bank Gothenburg RYNE SEAMAN (402) 643-3636 Cattle Bank & Trust Seward TRAVIS SEARS (402) 323-1828 Union Bank & Trust Co. Lincoln STEPHEN STULL NBA Past Chair (402) 792-2500 Nebraska Bank Hickman/Dodge KELLY TRAMBLY (402) 756-8601 South Central State Bank Campbell NICHOLAS VRBA (402) 727-0213 RVR Bank Fremont ANDREW WITT (402) 504-4000 Dundee Bank Omaha Colorectal cancer is the third most common cancer among Nebraskans. Early detection saves lives, so doctors recently lowered the recommended screening age from 50 to 45. BCBSNE health benefits cover screenings and preventive treatments at no extra cost. OVER 45? GET SCREENED Visit NebraskaBlue.com to connect with a coach and schedule a screening today. An independent licensee of the Blue Cross and Blue Shield Association. 4 Nebraska Banker

PRESIDENT’S MESSAGE I always enjoy when Tim Burns visits our bank. The knowledge he has of the banking industry and the services MIB provides to community banks, helps our bank to be able to offer additional products and services to our bank customers. We consider Tim, and MIB, to be an important part of our banking family. Tim Burns with customer Kurt Pickrel of Fullerton, Nebraska Bank Stock Loans — Acquisition, Capital Injection, and Shareholder Buy Back/Treasury Stock Purchase Officer/Director/Shareholder Loans ( Reg-O) Participation Loans Purchased/Sold — Commercial, Commercial Real Estate, Agricultural, and Special Purpose Loans Leases Midwest Image Exchange – MIE.net™ Electronic Check Clearing Products Information Reporting – CONTROL Electronic Funds Cash Management and Settlement Federal Funds and EBA Certificates of Deposit International Services/Foreign Exchange Safekeeping Directors’ Exams Loan Review Compliance Audits IT Audits Lending Services Operational Services Audit Services WHY ? Kurt Pickrel, President First Bank and Trust of Fullerton mibanc.com MEMBER FDIC Contact Tim Burns 402-480-0075

EDITORIAL: Nebraska Banker seeks to provide news and information relevant to Nebraska and other news and information of direct interest to members of the Nebraska Bankers Association. Statement of fact and opinion are made on the responsibility of the authors alone and do not represent the opinion or endorsement of the NBA. Articles may be reproduced with written permission only. ADVERTISEMENTS: The publication of advertisements does not necessarily represent endorsement of those products or services by the NBA. The editor reserves the right to refuse any advertisement. SUBSCRIPTION: Subscription to the magazine, which began bimonthly publication in May 2006, is included in membership fees to the NBA. ©2023 NBA | The newsLINK Group, LLC. All rights reserved. Nebraska Banker is published six times each year by The newsLINK Group, LLC for the NBA and is the official publication for this association. The information contained in this publication is intended to provide general information for review, consideration and education. The contents do not constitute legal advice and should not be relied on as such. If you need legal advice or assistance, it is strongly recommended that you contact an attorney as to your circumstances. The statements and opinions expressed in this publication are those of the individual authors and do not necessarily represent the views of the NBA, its board of directors, or the publisher. Likewise, the appearance of advertisements within this publication does not constitute an endorsement or recommendation of any product or service advertised. Nebraska Banker is a collective work, and as such, some articles are submitted by authors who are independent of the NBA. While Nebraska Banker encourages a first-print policy, in cases where this is not possible, every effort has been made to comply with any known reprint guidelines or restrictions. Content may not be reproduced or reprinted without prior written permission. For further information, please contact the publisher at 855.747.4003. 8 PRESIDENT’S MESSAGE STAY INFORMED, STAY INVOLVED AND SHARE YOUR COLLECTIVE VOICE! Richard J. Baier, President and CEO, Nebraska Bankers Association 10 WASHINGTON UPDATE THE HIGH COST OF TOO MUCH CAPITAL Rob Nichols, President and CEO, American Bankers Association 13 COMPLIANCE ALLIANCE ONE RULE FOR ALL INTERAGENCY GUIDANCE FOR THE RISK MANAGEMENT OF THIRD PARTY RELATIONSHIPS Julia A. Gutierrez Director of Education, Compliance Alliance 18 COUNSELOR’S CORNER COMMERCIAL AND CONSUMER FRAUD: WHO’S LIABLE? Nick Buda and Bob Kardell Baird Holm, LLP 24 TECH TALK THE NEW RANSOMWARE SELF‑ASSESSMENT TOOL (R-SAT) CHANGES IN LATITUDES, CHANGES IN ATTITUDES Shane Daniel and Laura Zannucci SBS CyberSecurity 30 2024 EDUCATION CALENDAR CONTENTS 8 18 6 Nebraska Banker

7 Nebraska Banker LET’S GET STARTED www.dbeinc.com 800-373-3000 sales@dbeinc.com EXPERIENCE THE DBE DIFFERENCE ATM | ITM | TELLER CASH AUTOMATION | COIN + CURRENCY | ATM MARKETING VIDEO + DIGITAL BANKING | SERVICE | REMOTE SERVICES + PATCHING SERVICES

PRESIDENT’S MESSAGE Stay Informed, Stay Involved and Share Your Collective Voice! Richard J. Baier, President and CEO Nebraska Bankers Association Forty-seven bankers from Nebraska who attended an American Bankers Association meeting in Kansas City in 1889 recognized the need for Nebraska banks to organize and speak collectively on important industry issues, particularly government relations, public policy and subsequent advocacy. The NBA was officially organized on January 22, 1890, by 265 bankers who attended the inaugural NBA Convention in Omaha. Now, nearly 134 years later, the need to speak collectively on important public policy, political and regulatory issues may be even more important than when the NBA forefathers met in Omaha in 1890. While I appreciate history, I have not always acquired or appreciated the details as much as I should have. I recently had a chance to review some of the early banking history outlined in A History of Banking in Nebraska, a book authored as part of the NBA’s 100th anniversary. During the brief history lesson, I was quickly reminded of how history often repeats itself. For example, banks in the late 1850s issued private banknotes to be used as currency; today’s digital currencies seem to share many similar characteristics. Likewise, the book describes the “antibank” men who voiced strong opposition to the creation of the state’s first bank charters. I would suggest facetiously that these “antibankers” were dressed as supporters of credit unions and the farm credit system. Similarly, the year the NBA was organized, Nebraska experienced a record drought and low market and crop prices. Lower crop prices led to substantial reductions in land costs but higher taxes. The public response to these early banking challenges was to further limit banking activity and impose early bank regulation. The exorbitant list of government-proposed rules and regulations confronting Nebraska banks during late 2023 reflects turbulent economic times much like those faced by Nebraska’s banking pioneers. NBA members and staff are currently committing significant time and resources to confront a variety of these modern-day, ill-advised proposals, including (but not limited to): 1. Limiting interchange fees on both credit and debit card transactions at a time when banks are being required to invest even more resources to prevent fraud and protect consumers. 2. After almost six years of discussion, the release of new Community Reinvestment Act guidelines consisting of almost 1,500 pages of complex government regulation that adds to the regulatory burden. 3. Recently proposed guidance by the FDIC related to governance of banks with $10‑50 billion in assets. These proposals suggest new bank board governance, such as the requirement to have an outside director chair the bank board, among others. While the proposal does not currently impact many NBA members, we know all too well that these types of regulations routinely flow downhill to banks of all sizes and types. 4. A recent proposal by the U.S. Department of Labor to reclassify numerous industry frontline positions from exempt to nonexempt 8 Nebraska Banker

positions for purposes of overtime pay. This proposal treats employers the same regardless of geography. 5. Abusive expansion of Section 1071 of the Dodd‑Frank Act, which identifies the types of information bankers must collect from their business borrowers, including farmers. 6. In response to the bank failures of last spring, calls for increased capital requirements for banks of all sizes. And the list goes on. Nebraska banks have never shied away from taking important leadership roles in their communities, nor have we lost focus on helping our customers survive and thrive. Unfortunately, the current regulatory and economic climate is thrusting new and not always predictable arrows in our direction. To successfully confront these challenges, the NBA needs your collective support and input. I want to personally encourage you to stay informed, stay involved and share your collective voice! ASSURANCE / TAX / ADVISORY FORVIS is a trademark of FORVIS, LLP, registration of which is pending with the U.S. Patent and Trademark Office. FORward VISion counts Our vision is helping make yours a reality. Whether you’re looking to stay compliant, manage risk, or grow strategically, our forward-thinking professionals can help you prepare for what’s next. forvis.com/financial-services FOR unmatched industry insight, VISion matters Each year, Nebraska bankers visit Washington, D.C. for the NBA Washington Legislative Visit and the American Bankers Association Washington Summit. The trip is an opportunity for the Nebraska banking industry to make its collective voice heard by the Nebraska congressional delegation. 9 Nebraska Banker

WASHINGTON UPDATE The High Cost of Too Much Capital Rob Nichols, President and CEO American Bankers Association In early October, I sat down with Federal Reserve Vice Chairman for Supervision Michael Barr at ABA’s Annual Convention in Nashville. The topic of our conversation was bank capital. The failures of Silicon Valley Bank, Signature Bank and First Republic Bank have prompted regulators to begin clamoring for major capital increases at larger banks. My question to Vice Chairman Barr was: why? Why, when the spring bank failures were attributed to a combination of idiosyncratic liquidity challenges, poor risk management practices and oversight missteps, did regulators put capital in the crosshairs? Why, when policymakers — including the vice chairman himself — have repeatedly stated that the banking system is strong, resilient and well-capitalized, is a major change in capital levels suddenly warranted? While I appreciated the vice chair’s willingness to engage in the conversation, I found the answers I received unsatisfying, to say the least. He echoed a common argument among proponents of the so-called “Basel III endgame,” namely that the last set of capital changes — instituted after the 2008 financial crisis — did not lead to dramatic economic declines and that the banking system continued to grow, even while holding higher amounts of capital in reserve. While these statements aren’t false, they’re a poor justification for additional capital increases now. The truth is the post-crisis capital changes did affect economic growth, and they succeeded in driving business outside of the regulated banking sector. Just look at bank mortgage originations in the years since 2007. The share of mortgage originations by banks has declined steadily since the post-crisis rule changes, plummeting from around 80% to just under 30% in 2022. That’s just one example — there are others.

Here are the facts: We already have an effective framework in place that requires regulators to sensibly tailor rules based on a bank’s risk profile and business model. Banks are already holding sufficient capital, as evidenced by the industry’s collective weathering of several significant events in recent years, from a global pandemic to a period of rapidly rising interest rates to resiliency in the face of the isolated bank failures in the spring. The proposed rules on the table would return our current framework to a one-size-fits-all approach that would put U.S. banks at a competitive disadvantage to their foreign peers. They have the potential to drive more business away from banks and into the less regulated shadow banking sector. They also fail to appropriately consider the potential economic consequences of forcing banks to hold even more capital in reserve. Bankers know there is a cost to holding too much capital — and it’s paid by both consumers and businesses who need credit. To ignore these realities would be a misstep, especially since history tells us that any capital increase for larger banks will eventually affect community banks as well. That’s why ABA has been so vocal in calling on regulators to conduct a thorough quantitative impact study to determine the full extent of potential economic consequences — which they agreed to do in mid-October, alongside an extension of the comment period. However, simply collecting the data is not enough. Regulators and the public need ample time to review and evaluate the data to understand the full picture — and the current timeline, even with the comment deadline extension, does not allow for that. Given the wide-ranging effect this rulemaking could have, the only appropriate course of action is for regulators to withdraw and repropose the rule after the data can be fully assessed. Changes to capital rules — even if they are only intended for the largest banks — will inevitably affect all parts of the banking system. This is too important to get wrong. Email Rob at nichols@aba.com. Changes to capital rules — even if they are only intended for the largest banks — will inevitably affect all parts of the banking system. LINCOLN BRUNING endacotttimmer.com 402-817-1000 Legal advice. Community banking experience. 11 Nebraska Banker

Your Customers Are Too. CONTACT US TODAY! 801.676.9722 sales@thenewslinkgroup.com Advertising Space Available. QR Code

The day-to-day functions of a financial institution would be impossible without the ability to outsource. Recently, existing guidance applicable to each specific regulatory agency — the Federal Reserves, Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency — was replaced with a single rule, the Interagency Guidance on Third-Party Relationships: Risk Management. The interagency guidance aligns the regulatory requirements and risk management expectations of third-party relationships among the federal banking agencies. Financial institutions routinely rely on thirdparty relationships for their day-to-day functions and existence. In today’s ever-growing world One Rule for All Interagency Guidance for the Risk Management of Third Party Relationships Julia A. Gutierrez Director of Education, Compliance Alliance 13 Nebraska Banker

of speed and technology, it would be nearly impossible to be successful and competitive without outsourcing to third-party vendors. Financial institutions may rely on outsourcing for a range of products, services and other activities. Outsourcing allows financial institutions a number of significant benefits, including faster and more efficient access to technologies, human capital, delivery channels, products and services, and markets. It can also mean a more costeffective operational existence overall. Despite the option to outsource certain functions and activities, financial institutions must still adhere to the risk management and compliance expectations. The use of third-party relationships does not alleviate the need for sound risk management within an organization. In fact, it’s quite the opposite when it comes to thirdparty relationships. Third-party relationships, especially those involving new technologies, could present an even higher or more elevated risk for financial institutions. A phrase we commonly use in the compliance industry is, “You can contract away the function, but you can’t contract away the compliance responsibility.” Financial institutions must understand their responsibilities to ensure safe and sound third-party relationships and practices in conjunction with the compliance of all applicable laws and regulations, including those which are intended to protect consumers. The New Interagency Guidance On June 6, 2023, the federal banking agencies issued Interagency Guidance on Third-Party Relationships: Risk Management. Much of what is outlined in the new interagency guidance is already somewhat familiar to the agencies. The core concepts of the interagency guidance remain consistent with the individual agency guidance that existed prior. The new interagency guidance provides consistency and an interagency approach to managing third-party risk. This is especially important for those relationships which involve critical third parties and relationships that are customer-facing or may otherwise be impactful to consumers. The new interagency guidance was developed to align with the expectations and best practices in other areas of risk management. It creates a vendor management lifecycle which includes six steps: 1. Planning for a relationship 2. Due diligence and third-party selection 3. Contract negation 4. Oversight and accountability 5. Ongoing monitoring 6. Termination Member FDIC Traci Oliver Eric Hallman Tara Koester Bankers’ Bank of the West We champion Community Banking bbwest.com | 800-873-4722 www.bbwest.com YOUR NEBRASKA RELATIONSHIP MANAGERS As a bankers’ bank we strive to help with every level of service and expertise. That is why we service anything from loan participations, merchant services, ATM/debit and much more, because we aim to answer your questions with, “…yes, we can do that too!” 14 Nebraska Banker

It’s worth noting that the guidance is broadly applicable and applies to all business arrangements. It doesn’t specifically address the various categories or the types of third parties, such as artificial intelligence or fintech firms. But the principles within the guidance will apply to all third parties and third-party relationships. That being said, financial institutions must manage all third-party relationships, but not necessarily to the same extent as the principles within the guidance can be tailored to the relationship. The interagency guidance provides a number of examples, which should not be interpreted as exhaustive, that financial institutions may consider for their due diligence processes. But, the agencies do note that the guidance does not impose any new regulatory requirements. The new interagency guidance may not create any new regulatory requirements for financial institutions, but it is focused on managing various risks associated with outsourcing certain products, services and activities, especially those impacting consumers. The guidance is a reminder to financial institutions that consumer protections The new Interagency Guidance provides consistency and an interagency approach to managing third-party risk. 15 Nebraska Banker

and compliance remain a priority among the regulatory agencies. The guidance emphasizes compliance and consumer protections, as those phrases, and similar phrases, are mentioned numerous times throughout the guidance. Financial institutions must be particularly diligent in ensuring they, and their third-party service providers, abide by and comply with all applicable laws and regulations. This includes ensuring that their financial institution, and any third-party services providers, do not engage in any unfair and deceptive acts or practices. The new interagency guidance provides clarification regarding the oversight of a third party’s subcontractors, indicating that financial institutions should focus on the selection and oversight processes of their third party. Financial institutions are not expected to oversee the subcontractors directly. The guidance also clarifies and distinguishes the roles of the board of directors and senior management when it comes to third-party oversight. The guidance provides various factors that the board of directors may consider for carrying out their responsibilities, and it also identifies activities and responsibilities in which management may perform. Many see this new interagency guidance as a signal to financial institutions that enhanced risk management practices are an area of focus for regulators and are critical to the safety and soundness of an institution. This guidance, along with other recent consent orders, may be foreshadowing the supervisory focus on vendor management relationships and the bank’s risk management practices for maintaining such relationships. However your institution interprets the new guidance, it is essential that a review of its current policy/procedures and risk management practices is conducted to ensure it aligns with the new interagency guidance. Since much of the guidance seems to highlight due diligence, contracts and the management of third-party risk and relationships, banks should consider integrating or at least addressing their third-party relationship risk management program with their overall enterprise risk management program. Julia A. Gutierrez serves as Compliance Alliance’s Director of Education, developing curriculum and presentations as well as presenting at various schools and seminars, both live and in a livestream/hybrid format. Julia has over 20 years of financial industry experience with the Compliance Alliance team. 16 Nebraska Banker Learn how budgeting for top-tier support and guidance can save your program money. That’s Bankers Alliance. info@bankersalliance.org or (833) 683-0701. Holding Company of Compliance Alliance and Review Alliance What if outsourcing for guidance, research, tools, annual training, special projects, staffing, even complete CMS oversight is really the answer for your compliance budget issues?

HEALTH BOOST IS A TEAM APPROACH To managing your blood sugar, offering individualized tools and support to improve your health. What’s Next? If you have questions about the program, or to see if you qualify, please send an email to msiebrandt@wellness-partners.org or call us at 877.345.7775 and ask for Marti. *Not all services are offered in every state due to licensing restrictions. Please contact us to see if you qualify. 877.345.7775 Regular Visits with our Registered Dietitian Learn how to make food your ally in health! Access to Our Team of Specialists* Exercise Physiologist, Mental Health Professional, Registered Dietitian, and Registered Nurse. Free A1c Tests The number of kits you receive will be based on your A1c at your Preventive Care Clinic. Free or Reduced-Cost Diabetic Medications If you meet certain criteria, you may be eligible for free or reduced-cost diabetic medications. Our Program Consists of the Following Components:

COUNSELOR’S CORNER Commercial and Consumer Fraud: Who’s Liable? Nick Buda and Bob Kardell Baird Holm, LLP Banks are no strangers to fraud, including check, wire and email fraud. Yet, identifying the latest fraudulent scheme and, more importantly, who is liable for the resulting loss can be confusing. This article identifies a few examples of commercial and consumer fraud, what a bank can do to help protect itself against losses and who is responsible for the loss. Part I — Commercial Fraud A Bank’s Options for Minimizing Liability for Check Fraud Commercial check fraud is still a widespread issue that banks routinely encounter. Articles 3 and 4 of the Nebraska Uniform Commercial Code (UCC) govern the procedure for allocating the loss resulting from a counterfeit, forged or altered check among the parties involved in the check processing system. As a general rule, a bank may only charge its customer’s account when the bank is presented with an item that is properly payable from its customer’s account.1 But what happens if a fictitious check or transaction has been presented for payment? 18 Nebraska Banker

Usually, the item is not “properly payable” because it has not been “authorized by the customer.” In most cases, the bank that is directed to pay the check is strictly liable for charging its customer’s account for a counterfeit, forged or altered check.2 A depository and/or payor bank who wrongfully accepts for deposit and/or pays an unauthorized check may avoid liability in certain, limited circumstances, where it can show that “(1) its customer, the drawer, was negligent; (2) the drawer’s negligence ‘substantially contributed’ to the alteration and (3) the drawee/payor bank paid the check in ‘good faith.’”3 A bank, however, can take proactive steps to protect itself from strict liability by entering into a carefully crafted deposit account agreement with its customer, including requiring the customer to implement services, such as positive pay or cybersecurity standards such as hardware and software firewalls and VPN encryption, to help identify and protect against fraud.4 The following deposit account language may be effective in helping reduce a bank’s strict liability for paying unauthorized checks or transactions: You agree that if you fail to implement any of these products or services, or you fail to follow these and other precautions reasonable for your particular circumstances, you will be precluded from asserting any claims against [bank] for paying any unauthorized, altered, counterfeit or other fraudulent item that such product, service, or precaution was designed to detect or deter, and we will not be required to re-credit your account or otherwise have any liability for paying such items.5 Part II – Consumer/Personal Fraud Business Email Compromise Schemes Email fraud has continued to proliferate in recent years. Targeted phishing attacks had a single purpose — to take over the account of an executive and use the executive’s account 19 Nebraska Banker

to convince employees, vendors or clients to divert a wire transfer to another bank account. The scam is known in federal law enforcement as the business email compromise (BEC). The FBI estimates that over $10 billion was lost to email schemes in 2022.6 WALENTINE O’TOOLE, LLP When time is of the essence, experience counts. Walentine O’Toole blends confidence, experience and knowledge with the personal attention you can expect from a regional law firm. www.walentineotoole.com 402.330.6300 11240 Davenport St. • Omaha, NE 68154-0125 The BEC scams take several different forms, but the most prevalent recently is the supplier or vendor scam. In such a scam, the email of a supplier or vendor is compromised using phished or stolen credentials or credentials found on the dark web. The compromised email account is then used to convince the company that there has been a new bank and new account established to receive transferred funds. The vendor scam is usually discovered only after the legitimate vendor complains that payment has not been received, which could be several months later depending on the terms of purchase, while the customer scam is usually not discovered until payment is not received from the company’s customers. BEC fraud leaves the two parties with a claim against each other — the payor has usually paid for services or goods rendered, but the payment went to the fraudster, while the payee has provided services or goods but has not received a payment. The question becomes, who is responsible for the loss? Court Rulings on Diverted Payments In Arrow Truck Sales Inc. v. Top Quality Truck & Equipment Inc.,7 Arrow paid money for the purchase of 12 trucks. The salesman for Top Quality and the buyer for Arrow negotiated a price of $570,000. Unbeknownst to Over the last five years, the FBI’s Internet Crime Complaint Center has received an average of 652,000 complaints each year. The complaints cover a range of internet scams around the world. 20 Nebraska Banker

either, both of their email accounts had been compromised. The fraudster then sent an email to Arrow asking to have the wire payment sent to a different bank account, one controlled by the fraudster. Both parties admitted that the new bank account was different than the bank account in the prior emails. The court, while holding for Top Quality, stated: “Simply put, [Arrow] should have exercised reasonable care after receiving conflicting emails containing conflicting wire instructions by calling [Top Quality] to confirm or verify the correct wire instructions prior to sending the $570,000. As such, Arrow should suffer the loss associated with the fraud.”8 Although the judge noted that both parties had their email accounts compromised, the court held that neither party was negligent in their manner of maintaining their email accounts. The court then discussed their relative due diligence and duty of ordinary care in terms of the “imposter rule” under the UCC. The imposter rule allows the court to determine liability based on which party is in the best position to prevent the forgery by exercising reasonable care.9 The Arrow case was discussed at length by the court in Beau Townsend Ford Lincoln, Inc., v. Don Hinds Ford, Inc.10 In Townsend, Don Hinds Ford had agreed to purchase approximately $736,225 worth of Ford Explorers. Beau Townsend Ford Lincoln’s email had been hacked, however, and the request for the wire transfer of the money was changed by the hacker to an alternate bank account. In the Townsend case, the court discussed the issue of fault based on the trial court’s finding for the plaintiff. The trial court stated that “[i]t was not Beau Townsend that instructed Don Hinds to send funds to ‘K.B. KEY LOGISTICS, L.L.C.’ in Missouri City, Texas.”11 However, the appellate court opined that in order to determine who was in the best position to prevent the fraud, the trial court must conduct a trial to determine the facts based on the case and determine to what degree, if any, each party is responsible. The appellate court stated: “[I]f principles taken from UCC Article 3 are applied, the court would have to determine whether either Beau Townsend’s or Don Hinds’ failure to exercise ordinary care contributed to the hacker’s success, and would then have to apportion the loss according to their comparative fault.”12 A trial on the negligence of both parties as to the loss would allow the court to determine if a company with a hacked email account is primarily at fault or whether the payor who paid the money based on an email without further confirmation or due diligence would be primarily at fault. A number of other courts have considered the imposter rule in non-BEC-related cases. Based on the reasoning in those cases and the types of issues in BEC cases, the following types of 21 Nebraska Banker nedcoloans.org WE PARTNER WITH BANKS TO HELP BUSINESSES THRIVE IN NEBRASKA. • Partner with NEDCO to provide your customers with down payments as low as 10%. • Lower your exposure while participating in larger projects. • Unlike SBA 7a loans, NEDCO handles all paperwork and processing with the SBA. • NEDCO’s long-term fixed rate helps you compete with other lenders only offering conventional financing. • NEDCO 504 loans provide the bank with a 1st lien at a 50% LTV. JASON CULVER Chief Credit Officer 402-483-4651 jason@nedcoloans.org WILL SAILORS Vice President Lending 402-483-4622 will@nedcoloans.org

circumstances may be considered by the courts in determining fault: • The normal course of business for the companies or the industry; • Prior dealings between the companies (e.g., had the companies only dealt in written checks prior to the incident); • Whose accounts were hacked; • Contributory actions (e.g., forwarding a hacked email or deleting an email known to be fraudulent without notifying the other party); • Common cyber security techniques (e.g., multi-factor authentication); • Company IT and security policies (e.g., whether the actions were in breach of the company’s own IT and security policies); • Prior red flags of suspicious activity; and • Whether a contract or an agreement had actually been reached. While there is no clear-cut rule for apportioning liability based on current case law, a bank’s business and consumer clients should continue to exercise care and implement proper processes and procedures for initiating and confirming wire transfers to reduce the risk of bearing the liability of a fraud. 1. UCC § 4-104(a) 2. Travelers Cas. & Sur. Co. of Am. v. Wells Fargo Bank N.A., 374 F.3d 521, 525 (7th Cir. 2004) 3. See J. Walter Thompson, U.S.A., Inc. v. First BankAmericano, 518 F.3d 128, 132 (2d Cir. 2008) 4. Cincinnati Insurance Company v. Wachovia Bank, N.A., Case No. 08-CV-2734 (PJS/JJG) (D. Minn. Nov. 8, 2010) 5. Id. at p. 6 – 7. 6. Source is https://www.ic3.gov. If you suspect fraud, notify FinCEN, IC3, and the local FBI or Secret Service office immediately. 7. Arrow Truck Sales, Inc. v. Top Quality Truck & Equip., Inc., Case No. 8:14-cv-2052-T-30TGW, 13 (M.D. Fla. Aug. 18, 2015) 8. Id. at p. 13 9. See, e.g., Nebraska Uniform Commercial Code § 3-404(d), “The drawer is in the best position to avoid the fraud and thus should take the loss.”, comment #3; see also, State Sec. Check Cashing, Inc. v. Am. Gen. Fin. Servs., 972 A.2d 882 (Md. App. 2009). 10. Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., Case No. 17-4177 (6th Cir. Nov. 27, 2018) 11. Id. at page 18. 12. Id. at page 15. 22 Nebraska Banker

Single Source is your 1 Partner, 1 Solution, 1 Source for architecture, construction, and furnishing of community banks. We are a proven leader in building design and construction across the upper Midwest. Call Jim today for a free consultation on your project! 319-232-6554 112 W. Park Lane Waterloo, IA 50701 www.Single-Source.Net 1 Integrated team serves all your needs, so you benefit from: Fast Delivery Better Quality Cost Savings Singular Responsibility Reduced Change Orders Reduced Risk 1 Source, Full Service Architecture Construction Interior Design Master Planning Site Development Spacial Planning Budgeting Project Administration Project Management Budgeting Value Added Engineering Nebraska State Bank, Broken Bow 23 Nebraska Banker

TECH TALK The New Ransomware Self‑Assessment Tool (R-SAT) Changes in Latitudes, Changes in Attitudes Shane Daniel and Laura Zannucci SBS CyberSecurity 24 Nebraska Banker

Passion for cybersecurity is one of our company’s core values. In fact, we have shirts to prove it. Speaking of passion, we can’t help but think of Jimmy Buffet. He is not just a musician and singer-songwriter but also a person who followed his passions and created a lifestyle that inspired millions. Channeling our inner Parrot Heads, we asked Bing Chat to write a blog linking the recent Ransomware Self-Assessment Tool (R-SAT) updates and the great Jimmy Buffet. Bing Chat responded: “I’m sorry, but I cannot write a blog about Ransomware Self-Assessment and Jimmy Buffett. These are two very different topics that do not have much connection or relevance to each other.” Challenge accepted. We hope you find this entertaining and interesting because “if we couldn’t laugh, we would all go insane.” It was clear that Bing Chat did not attend the recent Conference of State Bank Supervisors (CSBS) webinar on R-SAT 2.0 as we did. The webinar not only introduced the new and improved R-SAT but also provided lessons learned by banks that suffered a ransomware attack. Using lessons learned from attacks going back to January 2019, regulators expanded the R-SAT from 16 to 20 questions while maintaining the same general look and format as the initial version. The NIST Framework continues to be the foundation of the tool, including identify, protect, detect, respond and recover subsections. We found the webinar to be a “Cheeseburger in Paradise” and recommend practitioners review the lessons learned report with a “big kosher pickle and a cold draft beer; well, good God Almighty, which way do I steer?” Changes in Latitudes, Changes in Attitudes Just as Jimmy Buffett’s song suggests that changes in latitudes can lead to changes in attitudes, a revised R-SAT signals a change in mindset and strategy for tackling ransomware threats in the ever-evolving landscape of cybersecurity. The Ransomware: Lessons Learned by Banks That Suffered an Attack report suggests that victims of ransomware attacks have gained a newfound appreciation for the R-SAT. Victims indicated a prior compliance-based focus on the R-SAT and overreliance on managed security providers versus fully understanding and directing their ransomware risk mitigation efforts. Most victims identified in the study had not completed or had only partially completed the R-SAT. In other words, we must steer the ship from a compliance mindset to a risk management approach. Over-confident victims placed undue faith in a partially completed R-SAT, relied on the FFIEC Cybersecurity Assessment Tool (CAT) that was last updated in 2017, or prior examinations and audits that failed to properly evaluate the institution’s cybersecurity preparedness. Some victims reported a dependency on third parties, such as managed security service providers, rather than fully 25 Nebraska Banker

comprehending the ransomware issues themselves. Still, others knew their R-SAT had not been completed thoroughly or that its completion had been delegated to personnel with insufficient knowledge or experience to provide a credible challenge. It is essential to avoid considering the R-SAT as just another regulatory compliance process versus leveraging it to thoroughly help evaluate risks and controls. Candidly, the R-SAT is an important tool that should be completed appropriately by those responsible for cybersecurity. Completing the R-SAT can be a first step in developing a ransomware playbook, which is a key component of a comprehensive Incident Response Plan. Failure to plan for a ransomware event may lead one to feel like they’re on a volcanic island singing, ”I don’t know where I’m a-gonna go when the volcano blows.” Now, let’s slow the tempo and look into key control gaps that regulators identified in the lessons learned report: The Role of MFA Multi-factor authentication (MFA) was one control consistently implemented by all victims following a ransomware incident (if they were not already using it). While MFA is not a silver bullet for weak security practices, your R-SAT should document the reasoning for not using MFA. MFA is a seemingly simple security feature; however, there are many variations and implementation methods, each with strengths and weaknesses. Effective implementation and proper configuration of MFA are crucial for obtaining the expected benefits. The new tool places increased emphasis on MFA, which is now an expanded, standalone question. Understanding, Identifying, and Managing “Hyper‑local” Social Media While you may be unfamiliar with the term, chances are you are already using “hyper-local” social media to some extent. Think of Nextdoor, Facebook Neighborhood, or Citizen, those websites and applications that you use to stay up on the local gossip, complain about the service you received in the driveup, or if anyone was injured in the wreck you saw on the way to work — the site everyone monitors, which a few very active users usually dominate. Your Incident Response Plan must consider traditional social media and these hyper-local social media platforms. Banks must stay informed about these platforms and actively check for any false information or adverse feedback that could affect their reputation or customer confidence during ransomware. Banks are advised to establish protocols for crisis communication to manage posts on both hyper-local and traditional social media effectively. 26 Nebraska Banker

Additional Lessons Learned Other critical items noted report included the following observations and findings: • Expanding cloud usage requires greater awareness of where data is located, as well as which services are cloud-based. • Ransomware tactics are changing and now include double and triple extortion techniques, sometimes with accompanying DDoS attacks. • Increased emphasis and detail on employee awareness and security training. • Controversial practices: Paying an extortion fee for the promise of silence from a criminal emboldens them to continue targeting the banking industry. Why a Revised R-SAT? Utilizing the lessons learned report, regulators identified primary drivers for revising the R-SAT model and made notable changes in the question set to further strengthen the tool to reflect the current scope of ransomware threats. The primary drivers for the revised R-SAT included: • Changes needed to address the evolving threat environment and bad actor tactics. • Changes needed to address changing bank environments and controls. Notable Changes • Increased emphasis on MFA. • Identification and management awareness of any data, including cloud-based data, housed in locations outside of the U.S. • Increased emphasis and detail on employee awareness and security training. • Increased clarity on identifying systems or activities processed or performed internally, outsourced to a third party, or a combination of the two. • Identification of systems or activities that are based in a cloud environment. 27 Nebraska Banker

• Review of cyber framework gap analysis. • Checklist of services potentially available through cyber insurance policies. • Narrative requesting identification of vendors that do not have ransomware-related controls in place. • Procedures to validate the sterility of data backups before restoration to prevent reinfection. • Identification of any ransomware threats and risks identified in risk assessments that have not been appropriately remediated or mitigated to an acceptable risk level. • Identification of new preventative controls. • Identification of new or reworded Incident Response Plan considerations. • Considerations for third parties engaged in the event of an attack. Be Like Buffett: Turn Challenges into Opportunities With ransomware remaining one of the most visible cyber threats, all organizations remain at risk. For the unprepared, the consequences can be severe, including damage to the brand or reputation, regulatory consequences, impacts on operations and failure of the institution. While a comprehensive plan is valuable, a plan itself does not negate the need for strong leadership during crisis management. “Roll with the punches, Play all of his hunches, Make the best of whatever came his way.” These lyrics are worth contemplating in light of the recent MGM Resorts and Caesars ransomware attacks and how each management team responded. Each management team had a choice to either negotiate a ransom amount and hope for a speedy recovery or refuse the extortion payment and attempt to recover. Neither choice is a clear win, and each choice leads to its own set of ramifications. Turning challenges into opportunities was a hallmark of Mr. Buffett’s legacy and a lesson in leadership. The R-SAT is not a test to pass or fail but an opportunity to prepare your team for the uncertain challenges of a ransomware attack, as well as a critical step in developing an incident response plan playbook for responding to ransomware. Shane Daniel is the Information Security Consulting Team Lead and Laura Zannucci is the Senior Information Security Consultant/ISO for SBS CyberSecurity, LLC. To learn more, please visit sbscyber.com. 28 Nebraska Banker

800.228.2581 MHM.INC Now more than ever people want self-service options. With our core integrated ITMs we can make this a reality both in the lobby and in the drive-up of your branch. SELF-SERVICE BANKING DID YOU KNOW? Enjoy your association news anytime, anywhere. Scan the QR code to visit our online publication to stay up to date on the latest association news, share articles and read past issues. nebraska-banker.thenewslinkgroup.org 29 Nebraska Banker

2024 EDUCATION CALENDAR JANUARY Regulation B Workshop January 23-24 Virtual State Government Relations Forum January 25 Lincoln, NE Fair Lending Essentials Workshop January 30-31 Virtual FEBRUARY Young Bankers Day at the Capitol February 6 Lincoln, NE Operations Conference February 6-7 Lincoln, NE Mid-Winter IRA Essentials Workshop February 12-13 Virtual Mid-Winter Advanced IRA Workshop February 14-15 Virtual Health Savings Account Seminar February 16 Virtual Bank Executives & Directors Conference February 21-24 Scottsdale, AZ Financial Statements & Tax Returns Analysis Workshop February 28-29 Virtual MARCH Supervisor Boot Camp March 13-14 Lincoln, NE CEO Executive Forum March 28 Lincoln, NE APRIL Spring Agri-business Conference April 2-3 Kearney, NE Opening Business Accounts in Nebraska Workshop April 9 Virtual Cybersecurity Workshop April 11 Virtual MAY NBA Annual Convention May 8-10 La Vista, NE For more information about these live and online education events and training tools, contact the NBA Education Center at (402) 474-1555 or nbaeducation@nebankers.org. You may also visit the NBA website at https://www.nebankers.org/education. 30 Nebraska Banker

This magazine is designed and published by The newsLINK Group, LLC | 855.747.4003 233 South 13th Street, Suite 700 Lincoln, NE 68508 BHG Financial aggregates P&I loans from elite borrowers, which banks can purchase to earn strong interest income, increase cash flow with direct ACH payments, and reduce underwriting costs. Augment your existing loan portfolio with simple, straightforward loans from BHG. Earning 9% with straightforward P&I loans is as easy as BHG. Here’s a simple way to increase your bank’s profitability Zachary Schwager 347.429.2363 zschwager@bhg-inc.com Scan to learn more at BHGLoanHub.com Earn 9% Contact your representative: OR

RkJQdWJsaXNoZXIy ODQxMjUw