Small banks face the greatest risk from hackers
Cyberattacks on the country’s largest banks, from JPMorgan Chase & Co. to Bank of America Corp., grab the headlines. But the Federal Reserve Bank of Boston and other regulators worry that smaller banks, with less robust cybersecurity, provide easier targets for criminals, terrorists, and foreign states seeking to infiltrate the US financial system.
Banks are so interconnected, doing business with each other and interacting with the Federal Reserve, that an attack on a community bank could eventually infect larger banks, spreading like a virus and threatening the stability of and confidence in the banking system. Numbering in the thousands across the country, small banks don’t have the resources to hire armies of technology experts and spend millions for the most sophisticated software to thwart cyberthreats.
That makes them a weak link for those looking to steal money, lift identities, and wreak havoc on the financial system, regulators fear.
“All the attacker has to do is get into one institution, and that gives them a door into others,” said Kenneth Montgomery, chief operating officer of the Boston Fed. “If a sufficient number of small institutions stop processing payments, could that have a systemic risk? It could have some impact.”
Cybercriminals are already testing this route. About a year ago, a small Boston-area bank discovered during a routine check that hackers had invaded its computer systems, Montgomery said. The malicious software wasn’t aimed at the local bank, which regulators declined to identify. Instead, the code was targeted at disrupting the Fed and the payment systems, officials said.
The local bank quickly notified the Boston Fed, which strengthened its firewalls and thwarted the attack.
Such incidents have regulators increasing their focus on cybersecurity during bank examinations, looking for ways to bolster measures that keep out malicious software. The New York Department of Financial Services, for example, recently proposed tighter cybersecurity rules, such as requiring banks to have information security officers on staff.
The Boston Fed is testing a program aimed at getting small and mid-size banks in Massachusetts to share information about threats to heighten awareness and help them respond to threats. It is expanding that effort to other parts of New England this year.
“No one is immune,” said Frank J. Cilluffo, director for the Center for Cyber and Homeland Security at George Washington University. All banks “have got a big bull’s-eye on them.”
Banks are among the most targeted institutions for cyberattacks. Not only do they hold vast amounts of money and sensitive personal information, but ATMs and online and mobile banking services are exposed to hackers. It’s difficult to pinpoint exactly how often they come under attack and to know the overall cost of these attacks because the information isn’t always reported to one regulator.
Some institutions may not even be aware they are being infiltrated, Cilluffo said. One large US bank, which Cilluffo declined to identify, told him that it has to fend off 30,000 cyberattacks a week.
In 2014, a criminal gang launched an attack on JPMorgan’s computer systems and stole the names, e-mails, and phone numbers of more than 80 million people and used the data in an elaborate scheme to manipulate stock prices. Iran is suspected to be behind a 2012 attack that disrupted online banking sites of Bank of America and several other institutions, including regional banks such as North Carolina-based BB&T Corp.
JPMorgan officials have said their bank is spending $500 million this year to strengthen cyber defenses. Bank of America, of Charlotte, N.C., spent $400 million on cybersecurity last year.
Smaller banks don’t have those types of resources. While they may not offer as rich a target as the nation’s biggest institutions, small banks are still attractive targets for cruder cyberattacks and for those seeking a point of entry into the financial system.
Joe Zazzaro, chief information officer at PeoplesBank, a Holyoke bank with $2 billion in assets and 17 branches, said e-mail phishing schemes and other cyberthreats hit the bank’s firewalls “all the time.” Cybersecurity has become so crucial for the bank that it has expanded its technology staff from one person handling security along with other duties to three employees — two full-time and one part-time — focused entirely on safeguarding the bank’s computer systems, Zazzaro said.
But with so much information about potential cyberthreats, it can be difficult for a small bank with limited staff to discern what is an immediate problem that must be addressed and what may be irrelevant. Every two weeks, Zazzaro leaves Western Massachusetts at 6 a.m. to drive to Boston for the Boston Fed’s meeting on cyberthreats.
The meeting provides local perspective on flare-ups that other banks may be seeing. And it offers the latest information from federal agencies on cyberthreats, as well as tips for questioning bank vendors to ensure they have cyber defenses in place.
The Boston Fed is also holding a conference for bank executives on April 4 to learn more about cybersecurity.
Montgomery, the Boston Fed chief operating officer, said the Fed is trying to provide smaller banks with help that doesn’t cost tens of millions of dollars, such as providing information on which viruses to be on the lookout for and what software patches are available to keep them out.
Montgomery, however, acknowledges that the cost of protecting data, monitoring systems, and documenting it for regulators is increasing, and some smaller institutions may be forced to merge to accomplish it. On the other hand, he said, the cost of a breach could be much higher if it erodes the confidence of customers and makes them reluctant to do business with a bank, he said.
“That will put a small institution out of business much faster than a Bank of America,” Montgomery said.