The next great crisis for the banking industry may well be cybersecurity, in the view of Mark Quandahl, director of the Nebraska Department of Banking and Finance. Quandahl delivered his comments at the annual conference of the Nebraska Independent Community Bankers last month in Lincoln. The program, "Executive Leadership on Cybersecurity," was put together with support from the Conference of State Bank Supervisors.

"It's time to take it from the server to the boardroom," said Quandahl in introductory remarks that were a recurring theme throughout the session.

Philip Hinkle, director of IT security examinations for the Texas Department of Banking, spent much of his presentation on corporate account takeovers and the Federal Financial Institutions Examination Council's Cybersecurity Assessment Tool.

Cyber criminals are "hitting everybody," he noted, including small retailers and gas stations. "They are not as aware of the risk as bankers are," Hinkle said. It is incumbent on banks, he believes, to spread the word.

"Call your customers in," he said, "and explain to them how corporate account fraud works. It's hard sometimes to get them to come in, but Rotary clubs and other civic organizations are looking for luncheon speakers. You probably know more than anybody in your community about cybersecurity. You're the experts."

The threat will continue to evolve and grow, Hinkle warned the NICB members. "New vulnerabilities provide criminals with pathways into your organization. You need to be proactive and get ahead of the problem."

Calling attention to the FFIEC Cybersecurity Assessment Tool, Hinkle listed several benefits to institutions that use it: identifying factors contributing to and determining the institution's overall cyber risk; assessing cybersecurity preparedness; evaluating whether cybersecurity preparedness is aligned with the risks; and determining changes that could be taken to achieve the desired state of cyber preparedness.

Kelly Lammers, deputy director of the Nebraska Department of Banking and Finance, called the FFIEC's guide "a great tool." In his view, "Cybersecurity can no longer be seen as an 'IT'problem. This is a risk-management problem."

In his presentation, he highlighted a description of the risk management process from the Conference of State Bank Supervisors:

"Bank CEOs should strive to create and implement an effective and resilient risk-management process to enable proper oversight and to ensure that you are effectively managing cybersecurity risks. Key elements of a risk-management process should include the initial assessment of new threats; identifying and prioritizing gaps in current policies, procedures and controls; and updating and testing policies, procedures and controls as necessary."

Executive management must commit to developing a corporate cybersecurity culture, Lammers advised. This means cybersecurity should be on the agenda at least monthly; how much time spent valuing cybersecurity should be reviewed; a culture should be instilled to make certain all employees have buy-in for brand protection and risk reduction; and cybersecurity should be included in ongoing training programs.

Enhanced management oversight practices should be implemented, Lammers advised. Build in and demonstrate fluidity in risk assessment and incident response processes, he suggested, and regularly monitor various channels for threat updates and effectively communicate them to the organization.

And, as Hinkle did, Lammers urged carrying the message beyond the bank. "Community outreach will enhance customer awareness and strengthen relationships," he said.

In a session devoted primarily to changes in the state's electronic banking law, Jeremy Vice, director channel strategies for NETS Inc., also touched on skimming devices attached to ATMs and POS terminals for stealing customer data: Inspect ATMs for skimming devices and cameras regularly; look for parts that don't match - card readers and cameras above the brochure rack, holes drilled and keypad overlays. Customers should be informed, he advised, of the potential for skimming devices.

Vice also had suggestions for procedures in the event a fraud device is discovered. They include notifying law enforcement and/or the Secret Service, and the ATM processor so the terminal can be taken offline temporarily. The area should be cordoned off and the ATM monitored visually until law enforcement arrives. Observe the perimeter for anything unusual, such as people and license plate numbers, and retrieve video evidence to determine how long the skimming device has been attached to the ATM.

In another session, U.S. Secret Service Agent Scott Collogan noted that skimmer fraud typically happens along interstate highways in rural areas. He advised calling the Secret Service if a skimmer is found, and pointed out that the agency shares information with the bank if account numbers have been compromised.

Collogan also warned about ransomware attacks, where hackers lock up a bank's system or a customer's system and demand ransom for the data.

Coincidentally, a related alert was issued a day or two prior to the conference by the FFIEC.The alert noted the increasing frequency of cyberattacks involving extortion and said financial institutions should address this threat by conducting ongoing cybersecurity risk assessments and monitoring of controls and information systems.