September is "National Preparedness Month" with weekly themes of floods, wildfires, hurricanes and power outages. Yet, cyberattacks can be more devastating and more difficult to predict and control.
On the 14th anniversary of the September 11, 2001 terrorist attacks, the OCC issued a press release reminding banks to maintain effective business continuity and disaster recovery plans to respond to natural disasters and other emergencies. We think cybersecurity risks should be included in this list.
Since cyberattacks may compromise the integrity of financial systems and security of customer data, the resulting disruptions may be more severe over the long-term than natural disasters. Business continuity and disaster recovery planning needs to be robust to protect customers from identity theft and fraud, and protect the bank against reputation risk and even severe financial stress.
The "wildfire" aspect of cyberattacks cannot be understated. The probability of a devastating cyberattack may be far greater than the risk of natural disasters. The disruption from a natural disaster is typically short-term, with normal banking operations restored shortly thereafter and little risk to the bank's reputation. Cyberattacks are different.
One CEO recently remarked that traditional risk management systems are designed to manage interest rate and credit risks, and disaster recovery and business continuity plans only anticipate natural disasters. Cyberterrorism is stealthy and its purpose is to destabilize operations and create anxiety among bank management, customers and the general population. Furthermore, the timing, sources, and methods of cyberattacks are almost unknowable, unpredictable and unquantifiable, as summarized by the following questions:
- Is the attack by a disgruntled employee ... or a foreign government sponsored intrusion?
- Is customer data breached ... or were there unauthorized funds transfers?
- Does the cyberattack take the form of a data download ... a dormant virus hibernating in the system ... or a serious flaw in the many linkages of the IT system or Internet connections?
Another CEO confessed that it is not competitive pressures, interest rate or credit risk, or compliance issues that keep him up at night ... it is cybersecurity. Clearly, the regulators are concerned as well, making cybersecurity their top concern, as evidenced by FFIEC's new cybersecurity assessment tool and forthcoming intensified IT and management examination guidelines.
A successful cyberattack can permanently damage a bank's reputation, and it may be a challenge to recover, especially if customers no longer trust a bank's electronic delivery channels and IT systems. Community banks are perceived to be more vulnerable to cyberattacks given their more limited resources than larger banks. If such trust suddenly evaporates, there may be a severe liquidity issue if depositors move to quickly withdraw funds. While a bank can operate with deficient capital, when liquidity is exhausted, the regulators are forced to step in immediately. The sharp decline in sales at Target post-breach underscores the brittleness of reputations, and long lines at the Greek banks a few months ago remind us of the fragility of depositor trust. Would cyberattacks at community banks lead depositors to favor banks designated too big to fail?
Robust planning and clear contingency action plans, timetables and communication channels need to be in place in the event of a cyberattack. Even though your bank may have been actively engaged in cybersecurity preparedness, this does not assure immunity from depositor panic if another bank becomes a victim to a devastating cyberattack.
We cannot stress enough the importance of cybersecurity planning, and the breadth of scope in such planning. There are no easy answers, and every bank's solution will be different. For how we can help, please contact me at (703) 647-6543 or email@example.com