Regulation

Small, minority-led banks and credit unions face greater cyber risk

Small and minority-led financial service institutions face greater cybersecurity pressures than larger counterparts, experts say. Pictured: U.S. currency is displayed on Aug. 29, 2017, in San Anselmo, Calif. (Photo Illustration by Justin Sullivan/Getty Images)

In cybersecurity, as in many areas, the “little guy” gets squeezed. Such is the apparent case with the financial industry, where small and minority-led financial services institutions (FSIs) and credit unions are feeling greater pressure and impact from online threats.

In recent months, this has grown beyond being a basic IT security, or even banking, issue into being a political one, as FSI executives and the Congress representatives who support them have made their case that smaller and emerging community-based FSIs need greater cybersecurity support from regulators, larger fellow FSIs and the core processors that typically support these small FSIs.

“The scale of cyberattacks has become more advanced and widespread, and the financial services industry continues to be one of the largest targets for threat actors,” said Steve Bomberger, head of SEI Sphere, a cybersecurity and IT solutions provider. “Smaller banks and credit unions may not be as equipped to handle these sophisticated attacks as larger institutions.”

Andrew Howard, CEO of Kudelski Security, agreed that these types of banks “typically have less investment in security than the name brand financial institutions.”

“From an IT perspective, they typically look much more like a small business than a large enterprise,” Howard pointed out. “For these reasons, they are often targets. This challenge can likely be solved through regulation, as improved security requires financial trade-offs.”

While big banks, investment firms and brokerages were the juiciest targets for black-hat hackers in the early years, smaller FSIs have become the main targets in recent years as they are seen as easy prey since they lack the staff, the technology and the experience to combat this cyber onslaught, and more online thieves are moving downstream. While “bigger fish” may present a bigger target, according to Jamie Davis, vice president of product marketing at Safe Systems, a leading provider of fully compliant IT and security services for community banks and credit unions, it is understood that “a bunch of cyberattacks on smaller businesses can be profitable as well.”

“In general, the smaller the institution, the smaller the budget, the less the expertise, and the less products in place to protect themselves,” Davis said. “This is why it is critical for community FSIs to join with organizations that allow them to get access to the same expertise and products as the bigger FSIs.”

Indeed, larger super-regional and money center banks, investment houses and trading firms have poured resources into beefing up cybersecurity, smaller and burgeoning FSIs lack the staff and the budget to compare, even on a size-adjusted basis.

"The really smart attackers know that the easy money is where the cyber-related sophistication and resources are at their weakest,” said David Blaszkowsky, head of product and regulatory affairs for Helios Data. “Older software, unpatched apps, poorly trained technical staff, even less-sophisticated customers … these are all characteristic of community banks and other smaller financial institutions.”

A recent Trend Micro report pointed out that FSIs overall saw more than a 1,300% increase in ransomware attacks alone in the first half of last year [2021] as compared with the first six months of 2020. To some degree, it’s a numbers game, as Tim Eades, CEO of vArmour, pointed out. “These smaller financial targets are highly valuable, with over 5,400 credit unions in America responsible for tens of millions of individual accounts, meaning that a cyberattack on a smaller financial institution can be highly profitable for bad actors.” According to the FDIC, there are roughly over 5,000 community banks.

As Travis Hoyt, chief technology officer at NetSPI, pointed out, smaller banks, minority-led institutions, and credit unions have had an issue with cyberattacks for a number of years, oftentimes because they are unable to “attract and retain the talent needed to staff robust security teams, especially when faced with competition by larger FSIs with bigger budget allocations.”

“This challenge is exacerbated by the fact that the larger FSIs, while still a target, are more difficult to hack into than their smaller counterparts,” Hoyt added, “which entices threat actors into targeting the arguably softer, smaller targets without effective cyber control capabilities.”

prestitial ad