The Secured Lender—by Myra Thomas—Given the widespread nature of cyber attacks in the U.S. and throughout the world, it’s little wonder that the financial services industry is on alert and working to be ever-vigilant to protect their sensitive information. The recent data breach at Equifax put the industry on notice, and secured lenders are not taking the threat lightly. The concern is warranted. According to reports from IBM Managed Security Services, financial services jumped from the third most-cyber attacked industry in 2015 to the first most cyber-attacked in 2016.
The most popular types of attacks affecting financial institutions, according to the report, were related to breaches in web application database servers and operating systems, giving attackers the opportunity to read, change and delete sensitive information. The report also noted a rise in reported Society for Worldwide Interbank Financial Telecommunication (SWIFT) attacks against the messaging system used by banks and companies to move cash globally.
Assessing the Risk
But the exposures to cyber hackers are diverse. The most significant attacks are generally associated with the vast amounts of confidential data that lenders regularly store, notes Brendan Welter, senior vice president and chief information security officer for Sterling National Bank. Any time a secured lender connects with clients through the Internet, probably through a client portal, there are risks. “Without the right controls and focus on protecting client data, the exposures will grow considerably against the backdrop of the rapid developments in the cyber hackers’ capabilities,” he says.
Welter admits that the sheer number of sophisticated techniques that cyber hackers use is testing the industry. But he believes that asset- based lenders and factors are rising to the challenge. The key to avoiding cyber attacks, says Welter, remains with investing in the right people, processes and technology to stay ahead of the threats. “We’ve found that raising cybersecurity awareness within the bank is also key to cyber resiliency, as our employees are our first line of defense,” he adds. “The industry can never stop learning and investing in cyber. The criminals and fraudsters innovate at such a fast pace that new techniques to conduct cybercrime surface daily.”
The Dangers of Interconnectedness
While cybersecurity does focus on minimizing exposures at the secured lender itself, the nature of modern finance demands that financial institutions and their clients be increasingly interconnected. Along with the convenience of interconnected systems comes a greater and greater chance of the transmission of cyber risk between parties. Welter notes, “The opportunity for cyber attacks multiply as the number of client applications and interfaces increase.”
Secured lenders can minimize the risk by looking at each and every transaction they consider. Asset-based lenders and factors need to constantly evaluate the safety of the environment of the outside company, as well as consider how they interface and the back-ups and safety systems they install. Smart secured lenders are evaluating cybersecurity risk at all phases of the due diligence process, including evaluating client practices as a part of underwriting and field exams.
Protecting Sensitive Data
Richard Palmieri, managing partner at ANR Partners, describes the extent and possible harm that a major cybersecurity attack could represent to a client. “It’s certainly possible for a company to suffer a malware or ransomware attack that could effectively put a smaller or middle-market client out of business, unless they quickly find a solution to the attack,” he says. Generally speaking, most asset-based lenders and factors are responding to cybersecurity attacks on their own, but there are outside cybersecurity and risk firms that are actively helping lenders to rebuild infrastructure after an attack.
Often, the entry point for a cyber criminal isn’t through sophisticated hacking. Human error is often the gateway for a cyber threat. Katherine A. Lemire, president of Lemire LLC, admits that lenders with client-friendly platforms need to have various precautions in place to prevent a breach. But she does note, “I haven’t seen a successful phishing expedition happen just because of a user-friendly platform.” It’s often human error and sloppiness by employees that’s the real problem.
Understanding the Basics
Cybersecurity controls certainly need to evolve, just as the threats do, says Lemire. However, a secured lender can have the most knowledgeable tech experts on staff and a trusted third-party cyber risk firm at the ready but, without the basic precautionary steps in place, data breaches are sure to occur. Lemire notes that it’s often the simplest security errors that get a lender in trouble. For instance, secured lenders shouldn’t name their WIFI network with the firm’s name or put employee email addresses on the website, in order to reduce the risk of spoofing, she says.
Lemire also recommends teaching employees to never hit reply to emails requesting large amounts of cash or click on strange links and attachments. “Instead, type in the client’s email address that you know,” she says. In other words, check to make sure you have the right email address and not one that’s simply been spoofed. And while the employees at an asset-based lender or factor might have deep knowledge about finance and their client’s industry, that is often not the case with cybersecurity. “You have to simplify it for employees and users and educate the staff by describing cyber threats,” says Lemire.
Some firms have advanced to using encryption as a means to protect documents, which adds complexity to managing hundreds of passwords for the encrypted documents. While a firewall and continuous antivirus scans are essential, Lemire also admits that no system is 100% breach-proof. The goal is to avoid a cyber attack or minimize and quickly discover and fix a breach that might lead to some sort of business interruption. “It’s an interconnected world,” she adds. “There’s a great benefit from being connected, but it comes with a great risk.”
Understanding the Reality
Lori Nugent, shareholder at Greenberg Traurig LLP who has served as a first-responder for more than 1,000 data breaches, notes that the Ponemon Institute’s 2017 Cost of Data Breach Study: Global Overview predicts that 27.7 percent of the studied organizations will have a material breach in the next 24 months. “Nothing connected to the Internet can be made 100 percent secure, so it’s important to be prepared for a breach,” says Nugent, who refers to a data breach as “a tipping point” for most organizations. “Your reputation will never be the same. It will either be enhanced by the character you show in responding well to the crisis, or it will be diminished if the situation is mishandled.”
Secured lenders should focus on taking practical, proactive steps to mitigate the risk and enhance their resilience when faced with a cyber attack, Nugent notes. “By taking steps now, lenders can significantly improve the outcome when a serious breach happens.” Nugent suggests developing and testing an incident response plan, involving IT, in-house and outside counsel, compliance, finance, risk management, public relations, risk management, and human relations.
It also makes sense to know exactly what happens to legally protected data from the moment it’s obtained until it’s destroyed. Nugent notes that secured lenders should take legally defensible steps to protect data, as well as ensure that data shared with a vendor is protected. “While a vendor’s contractual indemnification obligation helps, the secured lender still remains responsible to regulators and clients,” Nugent adds. Reserves and cyber insurance can serve as a financial buffer if a significant breach happens. Cyber insurance is particularly important from a cash flow standpoint since breach response costs add up quickly at a time when revenue may be decreasing due to the reputational damage.
Nugent also suggests the use of multi-factor authentication for access to legally protected information, including transfer of funds. Increasingly, regulators are expecting this protection. But when regulators respond to a breach, she recommends that the key is putting it in context. “Be ready to highlight the key protective steps your organization is taking, including vendor management, and its experience in successfully thwarting other breach attempts,” she notes. “The regulatory environment is tense. For over a decade, state and federal regulators have been encouraging organizations to take data security seriously, so when a new breach happens, regulators are frustrated. That’s why being prepared to defend matters.”
The Reputational Risk
Secured lenders certainly need to be proactive to prevent hacks, says Michael Stanley, managing director and head of Rosenthal and Rosenthal. “Companies are relying upon the vendors and their customers to join their networks to optimize the supply chain, and the supply chain platforms are increasingly connected,” he adds. It gives everyone a broader reach, but a greater risk. Major cyber threats can present a risk to business not only for the short term, but for the long term as well. “It’s all about our ability to manage our business and consistently and quickly fund our clients,” he notes. It’s also about maintaining the brand.
The financial costs from a cyber attack can be high, but there’s also the reputation risk that a serious breach can cause and the subsequent loss of clients, says Stanley. The information lenders receive about clients and prospects is extremely sensitive—financial data, business plans, trade secrets and customer lists, just to name a few. It only takes one time, one breach of a client’s data, and a secured lender’s reputation is suddenly at stake, he notes.
Stanley believes the next step is for financial services and regulators to work together more effectively to protect the industry and their clients and customers from cybersecurity threats. “Cyber attacks are something that no one wants to talk about, of course,” he says. But Stanley argues that the industry and regulators need to join forces to head off the major threats from coordinated, organized, and sophisticated state- sponsored hacker groups outside of the country.
An Evolving Threat
Given the dynamic nature of cyber threats, secured lenders have to be vigilant about constantly educating them- selves, says Jennifer Palmer, president of Gerber Finance. And while safeguards are necessary for the lender’s own data, lenders also need to have serious conversations with their clients about the importance of protecting theirs.
Big Data and analytics can help to reduce cyber threat incidents. “As more organizations make the transition to a digital environment and learn how to mine their data, they will be able to better identify threats and mitigate or eliminate them before they become a bigger problem,” notes Gerber. “Even though firms have implemented safe- guards, hackers are always trying to stay one step ahead of us, so we need to always seek expert advice and review our policies and procedures to ensure they always remain relevant and up to date,” she concludes.