I 31 Table of Contents 33 42

Pub 1 2021 Issue 4

32 | The Show-Me Banker Magazine WHY BANKS MUST HAVE A CYBERSECURITY STRATEGY By Greg Morse, Stronghold Data Businesses within the financial industry are among the safest and most secure companies in the world. They must be because they house and protect their clients’ most valuable assets. While physical bank robberies continue to decline, the financial industry has become the #1 target for cybercrimes. Criminals would rather use ransomware instead of a weapon, and for good reason. According to Forbes, half of all businesses will pay a ransom, with the average cost being nearly $112,000. That does not include financial and business losses from a ransomware or cyberattack downtime, which lasts about two weeks on average. For most banks and financial institutions, cybersecurity is already top of mind, and in reality, cybersecurity is critical. Here are three things a bank should ask when it comes to cybersecurity: What do hackers want? It may seem obvious that money is what most hackers want, but money is not the only thing hackers are after when targeting banks. As Flagstar Bank, a financial institution fromMichigan learned, hackers also want data. When a ransomware attack hit Flagstar in Jan. 2021, the hackers stole Social Security numbers, names, and addresses of both employees and clients. Banks sit on a treasure trove of client data, and bad actors know this. Unsurprisingly, the U.S. Securities and Exchange Commission issued a Ransomware Alert in July 2020 warning of the increased sophistication of ransomware attacks on SEC registrations. Protecting clients’ data should be a top priority of a bank because, for hackers, their top priority is to steal it. What are the concerns after a compromise? Reputation Damage When data does get compromised, there are several concerns banks need to keep in mind. The first is reputation. Clients trust banks to keep their assets and data safe. When a breach happens and is made public, it damages that trust. Missouri law mandates that in most cases, businesses must notify individuals if their data has been breached. Few things are as embarrassing to a company as telling customers that their data was stolen. Discretion is always desired in a compromise, but knowledge of the attack will almost always become public, usually because the hackers will post the information on the internet. Government Fines The second concern banks should be aware of after a breach are potential fines. In recent years, the Federal Trade Commission has heavily penalized financial institutions that allowed a breach to happen because they lacked proper cybersecurity protection. The most notable example of this was when Equifax paid an estimated $575 million as part of a settlement for their 2017 breach. Compounding the costs of the breach itself with

RkJQdWJsaXNoZXIy MTIyNDg2OA==