Under the cyber gun, community and minority-led banks and credit unions are reaching out to the U.S. Congress to offer support in protecting them from the growing onslaught of cyberattacks.

In the face of industry data and real-world experience indicating that IT security at smaller, emerging FSIs and credit unions is more under threat, financial executives have approached lawmakers in recent months, seeking support for their cyber-protection plans. Last November, small and minority-led FSIs informed Congress that they required “better, more streamlined regulations” to help them set better IT security protocols and programs.

David Blazkowsky, head of product and regulatory affairs for Helios Data, pointed out that federal and state banking regulators are aware of the growing cyber threat.

However, “knowing it and fixing it are two different things,” Blazkowsky said. “And the investment and access to talent needed is beyond the range of these institutions. They have enough assets and personal information to be worth pilfering, but not enough revenue to protect them.” 

In November 2021, financial executives explained to the House Financial Services Subcommittee on Consumer Protection and Financial Institutions how this cyber threat to community FSIs and credit unions can cause particularly bad ramifications.

Nick Santora, CEO of Curricula, who also worked for the U.S. federal government for a decade prior to his current position, pointed out that: “To reduce risk, processes have to change. We follow processes because they’re routine, but all processes can be manipulated or flawed. We have to take a second look at how someone can manipulate the process, which is where hackers are taking advantage of these systems.”

Will increased regulations lead to better security?

Like the FSIs making a plea for support to Congress, Satya Gupta, co-founder of Virsec, also believes that regulation can play an important role in holding organizations accountable for protecting their employees, customers, partners and other third parties in their supply chain. “The good news is that financial institutions don’t have to fall victim to today’s attacks,” Gupta said.

“By implementing a deterministic approach to security, organizations can ensure that their legacy and modern software systems run only as intended and immediately stop any deviations,” Gupta added, “thereby preventing attackers from gaining access to their systems.”     

Especially in the face of concerns over greater online incursions, Steve Bomberger, head of SEI Sphere, noted that, “Cybersecurity isn’t just about passive defenses — it also includes safeguarding the business’ infrastructure, training for clients and staff members, third-party risk management, and an overall defense in depth approach to detection, remediation and prevention — all of which take a lot of money, resources, time and talent to put in place.”

Smaller FSIs are feeling the pinch so much that they may want to “crack down” on larger FSI counterparts and financial industry colleagues. But increased regulation is not necessarily a desirable outcome for many FSIs.

“Community [FSIs] … won’t just sit by and absorb new regs, in part to deflect from actions that will dissatisfy customers (think multi-factor authentication) or require significant investments in tech, talent, or change management,” said Blazkowsky.

“And increased legislation or agency-based regulation is never politically popular,” he added. “That said, community-based institutions, prodded by their regulators and examiners, will continue to make incremental progress on reducing their threat surfaces and increasing their resilience to attacks.”

This may include emerging technologies like "confidential computing" to protect data being on-boarded and shared within the institutions, which Blazkowsky said  will “change the  game” for those able to recognize it.