Although regulators are reluctant to provide specifics, industry insiders, such as Gartner's Avivah Litan, IronKey's Dave Jevans and the Independent Community Bankers Association's Cary Whaley, say the FFIEC's recent review of existing guidance suggests changes are imminent.
For Whaley, the vice president of payments and technology policy for the ICBA, the guidance will be a welcomed update. And when it's issued, he hopes regulators place more responsibility on banks' third-party service providers.
"We realize that it is not the role of the FFIEC to audit service providers," Whaley says. "But where a lot of the disconnect happens is on the service provider side. Community banks are at the mercy of their service providers, from a security and software-update standpoint."
More Onus on Vendors?According to a June 2010 ICBA survey of community banks ranging from less than $100 million in assets to just more than $500 million, 50 percent outsource core processing to independent platform providers. Beyond that, 55 percent outsource the management of their online banking channels to core processors; and when it comes to intrusion detection and intrusion prevention, 70 and 71 percent, respectively, outsource those services to third parties. (Hear a community banker's perspective about corporate account takeover.)
Vendors that provide core processing and online services to community banks should be held accountable for ensuring technology and platforms are up-to-date, Whaley says. What is needed, especially on the multifactor authentication side, is guidance smaller banks can hand over to ensure their providers offer layered security, rather than just meeting minimum requirements to get the bank past an audit.
"Service providers rely on the mandates," Whaley says. "So, if there is specific guidance, that would help; and it could be done in a way so that even the smallest institutions would not bear extensive cost."
Unless a security upgrade or change is mandated, it does not typically fall under the contractual compliance umbrella most small institutions have with their vendors, Whaley says. That also means that many vendors, unless they are contractually obligated, do not have to notify their bank customers of systems upgrades, patches or other updated security measures and solutions when they are released.
Terry Austin, CEO of Guardian Analytics, an online security solutions provider, says vendors should educate their bank customers. But the core challenge is really more about platform providers cooperating with vendors.
"Platform providers need to allow access and provide data to the vendors, so that vendors can fully integrate their solutions," Austin says. "It's important for vendors like us to be able to work with these providers so that we can have access to the data that will help us work with the banks and credit unions to improve security."
More Volume, More SecurityJevans, founder and chairman of online banking security vendor IronKey, says most community banks are not prepared for the sophisticated attacks now hitting the market. "I think the reality of the situation is that, particularly with smaller financial institutions, they haven't seen the level of sophisticated fraud that is starting to happen across the industry," he says. "They don't see it, they are not prepared for it, and there is not a good forum for information sharing about what is happening. I think a lot of these institutions are thinking, 'Well, you know, my day-to-day business is running OK, so it must be working for me.' Unfortunately, what is happening is that cybercriminals, in particular, are targeting smaller financial institutions, smaller business customers; and when they attack, they attack in a big way, and the losses are quite substantial."
Education plays a big part, and vendors have to be diligent about educating their bank customers, Jevans says. But how much security does every institution need? That's a relative question.
"More volume is going to dictate more security, and that is a good thing about what the current FFIEC guidance has done," Whaley says. "They've taken a risk-based approach, based on volume." But the industry has to keep in mind that even a single breach could be enough to put a small bank out of business. "We all have to be protected," Whaley says.