Regulators step up focus on cybersecurity at community banks

Federal regulators are urging community banks to monitor the vendors they use for a wide variety of business functions, as cybersecurity becomes a greater concern for U.S. companies.

Banks of all sizes outsource functions to vendors. But smaller community banks tend to rely on vendors more than their larger peers, which have more resources to keep jobs in-house.

Some Charlotte-area community banks outsource functions to vendors that have come under regulatory scrutiny in recent years for their practices.

For example, regulators in 2013 hit Missouri-based Jack Henry & Associates with an enforcement action over “unsafe and unsound practices” when one of its facilities was flooded after Hurricane Sandy, disrupting service to banking clients. Jack Henry provides a variety of services to banks, including processing transactions and automating business processes.

Park Sterling Bank, a Charlotte-based bank that operates in four states, was among the Jack Henry clients affected when the facility flooded. Park Sterling CEO Jim Cherry said the disruption affected a “small number” of his bank’s branches but declined to elaborate. He said Park Sterling worked closely with the vendor to ensure customers’ deposits were properly processed.

In a separate matter, Florida-based Fidelity National Information Services, a large provider of transaction processing and other banking functions, reported a data breach in 2011. Cornelius’ Aquesta Bank has used Fidelity since 2006, Aquesta President Jim Engel said. The 2011 breach had no impact on his bank, Engel said.

Regulators are concerned about the possibility of data breaches from weak security protections at vendors, who can have access to large amounts of sensitive customer and bank data. Such concerns come amid recent high-profile cases involving large U.S. retailers in which vendor credentials were used to steal customer information.

At the same time, community banks are doing more outsourcing, as they seek to offer new products and services to compete with bigger banks.

Community banks often tout their ties to the communities where they do business. But their vendors, who might be based in other states, are not household names to community banks’ customers.

Speaking at a community bankers symposium in Chicago in November, Thomas Curry, the comptroller of the currency, warned that vendor relationships can pose “significant” risks to banks.

Curry said he was not trying to discourage the use of vendors. But he said banks need to carefully monitor their vendor relationships, as well as how those suppliers are connecting to other third parties.

Executives for community banks in Charlotte say they take the responsibility of protecting customer data seriously and are spending more on cybersecurity. They also say they are investing more time monitoring their vendors.

“It’s something you better pay attention to,” said John Hipp, who retired this year as CEO of NewDominion Bank, a community bank based in Charlotte’s midtown area. “You’ve got to be focused on what can go wrong.”

Added complexity

The growing web of vendors serving banks is adding to the complexity of the financial system, which creates opportunities for hackers, regulators say.

That increasing interconnectedness has also concerned some lawmakers.

At a cybersecurity hearing in December, Sen. Elizabeth Warren of Massachusetts asked a Treasury Department official to explain how Treasury is monitoring the chain of vendors linking back to banks. Warren cited the 2013 Target breach, in which hackers used a vendor’s credentials to burrow into the retailer’s systems and steal data on millions of customers.

“The risk comes in all the way up and down the chain,” Warren said. “We’ve got to harden our security up and down the line.”

Regulators have also expressed worries over what they say is a rise in consolidations among vendors, leaving banks dependent on a shrinking number of suppliers. “As a result, deficiencies at one vendor have the potential to affect a large number of banks simultaneously,” Curry said in a speech in April.

To be sure, even the nation’s biggest banks aren’t immune to cyberattacks. JPMorgan Chase, the largest U.S. bank by assets, said a cyberattack against it last summer compromised the accounts of 76 million households and 7 million small businesses.

But cybersecurity remains a big issue for community banks, which, according to the Independent Community Bankers Association, make up 96.8 percent of all U.S. banks.

In the Charlotte metropolitan area, community banks have about 3 percent of the local deposits, most of which are with Bank of America and Wells Fargo. But here and elsewhere, community banks are a primary source of lending to small businesses.

As pressure mounts to protect customer and bank data, community banks in Charlotte say cybersecurity is costing them more.

Engel, the president of Aquesta Bank, said his bank pays roughly $20,000 a month in total cybersecurity costs.

That’s $240,000 a year for a bank that made $1.71 million in profit in 2014.

“It’s always going up,” Engel said. “I can’t envision that ever going down.”

Outsourcing rising

Sean Mahoney, a Boston-based partner with law firm K&L Gates, said outsourcing is on the rise at community banks as they try to meet consumer demand for increasingly complex products and services, such as mobile and online banking.

“Because there are a handful of these companies, and the banks really can’t offer all the products and services they need to offer in-house, the banks are really dependent upon these service providers,” Mahoney said.

Community banks outsource many tasks, Mahoney said, including the crediting and debiting of accounts, the issuing of debit cards, fraud monitoring, and the development of mobile-banking apps. At larger banks, those functions tend to be handled internally, he said.

Even as small banks feel pressure from regulators to keep closer tabs on their vendors, they say have little choice but to outsource.

“The smaller the bank, the more dependent you are on vendors because you can’t attract the level of expertise in a small-bank environment ... or afford the level of expertise in-house,” said Dana Stonestreet, president of Asheville-based HomeTrust Bank, which has branches in Charlotte and last year bought Charlotte’s Bank of Commerce.

Monitoring challenging

Some question whether community banks, with their limited resources, can sufficiently monitor vendors who might be headquartered in other states. Banks are required by regulators to monitor their vendors.

Hipp, the former NewDominion Bank CEO, called the process of monitoring vendors “very exhaustive.” It involves collecting “stacks” of data on the companies, he said. NewDominion, which is “highly focused” on monitoring its vendors, has staff dedicated to overseeing them, he said.

Avivah Litan, a fraud analyst for Connecticut-based Gartner Research, said it’s “pretty near impractical” for small banks to conduct an extensive study of a vendor. Small banks don’t have the budgets for those studies, she said.

If a small bank does uncover a problem and decides to find a new vendor, it faces high switching costs, she said. “And none of them are that much better than the others,” she said. “The small banks are at the mercy of their service providers.”

Litan said vendors are “very vulnerable” to breaches.

“You don’t hear about the breaches in the news because there’s no private-sector mechanism to report them,” she said. “I’m sure they’re under attack.”