CYBER & DATA SECURITY

Mitigation

Prevention and risk mitigation are key components in every aspect of bank operations - the same holds true in the protection of customer data.

Build Your Information Security Program

The following links will lead you to cybersecurity assessment tools to help you better understand where your bank stands.

Cybersecurity Icon

U.S. Banks’ Concerns with Compliance, Risk Management on the Rise According to Wolters Kluwer Indicator

New Regulations and Recent Data Breaches Behind Three Percent Overall Rise in Concern

Wolters Kluwer today announced results of its annual Regulatory and Risk Management Indicator survey of U.S. banks and credit unions, showing that regulatory compliance and risk management concerns have inched up three percent over 2016 results. While concerns over several specific challenges such as fair lending exam scrutiny and new Home Mortgage Disclosure Act rules remained high, other compliance-related factors—including the ability to track, maintain and report to regulators—remained steady or declined slightly. The Indicator survey was sent to banks and credit union nationwide earlier this fall and generated 608 responses.

Overall, risk management concerns jumped by 13 percent over the 2016 Indicator results. Cybersecurity and data security led the list of top risks that respondents anticipated giving escalated priority to in 2018, with an 83 percent ranking of “concerned” or “very concerned,” followed by IT risk (54 percent) and regulatory risk (50 percent). These responses echo and underscore recent statements from senior federal bank regulatory officials about burgeoning cybersecurity risks.

“These results—compiled against a backdrop of highly publicized data breaches at well-known entities, and at a time when financial institutions are preparing for the implementation of the most significant set of HMDA changes in several decades—drove the increase in concerns expressed in this year’s survey,” said Timothy R. Burniston, Senior Advisor and Principal Regulatory Strategist at Wolters Kluwer.

When asked about the likelihood of a measurable reduction in regulatory burden anticipated over the next couple years, 69 percent responded that such relief was “not likely.”

Efforts in implementing risk management programs remained relatively steady, with modest progress in those characterizing their organization’s efforts as having either an integrated, strategic risk management program (37 percent) or a well-defined but not enterprise-wide implemented program (33 percent) versus those in the early stages of program development (22 percent).

Respondents expressed concern about optimizing their organization’s compliance costs (78 percent), reducing exposure to financial crime (72 percent), and managing compliance monitoring and testing (73 percent). In a free-text response question, the Home Mortgage Disclosure Act rules going into effect January 1, 2018 were cited as the single biggest compliance challenge.

Regulatory examiners’ scrutiny of fair lending programs was seen as a growing pain point, jumping five percent over the prior year’s survey, with 46 percent of respondents noticing either a considerable or slight increase in scrutiny based on their institution’s most recent exam.

Respondents cited a multitude of obstacles to managing an effective compliance program, led by “inadequate staffing” (46 percent), “manual rather than automated processes,” (39 percent), and “too many competing priorities” (34 percent).

“The survey responses, when viewed collectively, reinforce for financial institutions the strategic imperative of having a proactive, well-staffed and supported corporate compliance program that operates across the three lines of defense —the business units, along with compliance/risk and audit areas—in tandem with an overarching risk management framework integrated with  all lines of business,” said Burniston.

For more information on 2017 Indicator results, please visit Wolters Kluwer


Vulnerabilities & Mitigation

Cybersecurity and data security vulnerabilities come in many forms. Use these resources to know what you are dealing with and how to stay one step ahead.

Name Source Date
Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments
OFAC 10/01/2020
Advisory on Unemployment Insurance Fraud During COVID-19
FINCEN 10/13/2020
Analysis Report: FiveHands Ransomware
CISA 05/06/2021
AppleJeus: Analysis of North Korea’s Cryptocurrency Malware
CISA 02/17/2021
CISA Alert: Active Exploitation of SolarWinds Software
CISA 12/13/2020
CISA Emergency Directive on SolarWinds Orion Code Compromise
CISA 12/13/2020
Compromised Managed Service Providers
USSS 09/10/2020
Contact U.S. Department of Labor Cyber Fraud Task Forces
DOL 09/10/2020
Contact U.S. Secret Service Cyber Fraud Task Forces
USSS 09/10/2020
Cyber Fraud Task Force Bulletin - September 2020
USSS 09/25/2020
Cybersecurity: Ransomware Alert
OCIE 09/10/2020
Fact Sheet: Russian SVR Activities Related to Solar Winds
CISA 05/07/2021
FBI Alert: Increased use of Mobile Apps Could Lead to Exploitation
FBI 09/10/2020
FBI Sees Spike in Fraudulent Unemployment Insurance Claims Filed Using Stolen Identities
FBI 09/10/2020
FinCEN Advisory on Imposter Scams and Money Mule Schemes
FinCEN 09/10/2020
Indicators Associated with Netwalker Ransomware
FBI 09/10/2020
Indicators of Compromise Associated with Darkside Ransomware
FBI 05/10/2021
Joint Advisory on Accellion File Transfer Appliance Vulnerabilities
CISA 02/24/2021
Joint Cybersecurity Advisory on Russian Foreign Intelligence Service (SVR)
NCSC, CISA, FBI, NSA 05/07/2021
Malicious Cyber Actor Spoofing COVID-19 Loan Relief Webpage
CISA 09/10/2020
Money Mule Initiative and Education
DOJ 12/16/2020
North Korea: Cyber Tactics and Tools Targeting Global Financial Sector
DHS 01/13/2021
North Korean Malicious Cyber Activity
CISA 02/17/2021
OCCIP Cybersecurity Alert 1 - Ransomware
OCCIP 09/10/2020
Pandemic Response Portal
09/28/2020
PIN - Egregor Ransomware
FBI 01/07/2021
PIN: Cyber Criminals Exploit Email Rule Vulnerability to Increase the Likelihood of Successful Business Email Compromise
FBI 12/01/2020
Ransomware Guide
CISA 09/01/2020
Russian Foreign Intelligence Service Cyber Operations: Trends and Best Practices for Network Defenders
CISA and FBI 04/27/2021
SBA Information Notice
SBA 07/21/2020
SBA Lender Alert EIDL
SBA 07/14/2020
Scam Awareness Materials for Groups and Organizations
SSA 11/02/2020
Security Alert Pandemic Related Fraud Chargeback Scheme
Visa 10/21/2020
Selecting and Safely Using Collaboration Services for Telework
NSA 09/10/2020
State UI ACH ID List
USSS 09/10/2020
Tips to Defend Against Ransomware
FS-ISAC 05/01/2019
U.S. Secret Service Cyber Fraud Task Force Map
USSS 09/10/2020
Unemployment Insurance Fraud Consumer Protection Guide
09/28/2020
USSS SBA OIG Joint Alert - PPP EIDL Fraud - TLP Green
09/28/2020
USSS-DOL OIG UI Advisory
USSS 09/10/2020
What We Urge You to do to Protect Against the Threat of Ransomware
White House 06/03/2021

Sheltered Harbor

Sheltered Harbor is the not-for-profit, industry-developed standard for protecting and recovering customer account data if a catastrophic event causes critical systems - including backups - to fail.

Its purpose is to promote the stability and resiliency of the financial sector and to preserve public confidence in the financial system in the face of an extended systems outage or destructive cyberattack.


The Sheltered Harbor standard combines secure data vaulting of critical customer account information and a resiliency plan to provide customers timely access to their data and funds in a worst-case scenario.

In many cases your core processor may provide a Sheltered Harbor solution.  Please read ICBA's Core Processor Guide.


How Does Sheltered Harbor Achieve Greater Protection for Community Bank Customers?

Industry Response — Resiliency standards established by the financial services industry ensure that consumers receive timely access to their accounts in the event that their bank or brokerage firm becomes inoperable due to a major cyber event.

Standard Data — All participating institutions make a daily copy of the consumer’s account data in a standard format, which enables the restoration of account by another institution or processor in the event of a major loss of operations.

Monitored Regularly — All participating institutions update their adherence reviews to ensure that the Sheltered Harbor standards are exercised consistently and in accordance with Sheltered Harbor specifications.

Secure Vault — Your customers’ account data is archived in a secure data vault that is protected from alteration or deletion. The data will stay intact and accessible if needed-exactly as when it was archived. Think of this as a fall-out shelter for customer data, with each institution providing its own data vault.

Sheltered Harbor in the News

Join Now

Sheltered Harbor participation is currently open to U.S. banks, broker-dealers, and service providers of all sizes.

Joining entitles participants access to the standard, support content and experts to help with implementation, and the knowledge that the institution is being proactive in protecting its customer account data.

Does Your Bank Have a .Bank Domain?

.BANK is an evolution in relationship management, offering a trusted, verified, more secure, and easily identifiable location on the internet for your customers and your bank, regardless of size. .BANK provides a trustworthy stamp of approval for your online offerings.


Manage your .Bank domain or register one:

  • EnCirca Website:

    Formed in 2001, EnCirca is an ICANN-Accredited registrar and registry validation provider based in Boston.  EnCirca is the leading domain name registrar for .BANK domain names. EnCirca specializes in complex and custom registrar solutions for the domain name industry. Contact sales@encirca.com to request a consultation.

  • fTLD Website

What Makes .BANK Safer?

Through verification and mandatory security requirements the .BANK domain creates a safer space and acts as a visual security cue for bank employees or customers.


The .BANK at the end of an email address or website URL confirms that the email communication is authentic and that the website is owned by a bank and is a safe place to manage his or her finances. This simple visual cue enables security that employees and customers can recognize and participate in, ensuring the space remains safe for everyone.

.BANK domains have 6 critical security requirements beyond a standard .COM domain creating additional layers of protection to the consumer, plus verification, which when combined with email authentication, creates security that cannot be replicated in the .COM space. Consider the following difference between .COM and .BANK requirements: