For Small Banks, Cyberattacks Carry Long-Term Consequences
The Financial Services Information Sharing and Analysis Center (FS-ISAC) shows that cybercrime is quickly becoming one of the most significant emerging threats to small banks in 2021. Cybercriminals continue to improve their tactics and seek opportunities to gain illicit control of financial systems and data. High-profile attacks on banks and financial institutions have been headline-making news for years, but small banks are targets even more frequently. For many of today's professional cybercriminals, small banks make a far better target than large national brands. Big banks can afford to spend more than $1 billion annually to detect attacks and trace them back to their source – and hackers know it. Small banks can rarely match that level of vigilance. Local and regional banks form a critical part of the national banking system. These institutions interact with one another in a complex system, presenting an appealing target for experienced hackers. Compromising even a small community bank can easily lead to more significant opportunities down the line.
Interconnected Banks Enable a Market-wide Cyberattack Kill Chain
Cyberattacks against financial institutions continue to grow every year. In 2015, threat actors targeted banks and financial organizations four times more than other industries. Four years later, financial firms had to defend themselves against cyberattacks 300 times more often than those in other industries. While early cyberattack attempts were mainly opportunistic "get in and get out" operations, today's threats are more sophisticated. Advanced Persistent Threats (APTs) are sustained attacks that infiltrate networks for weeks, months, or even years. These attacks require more resources, planning, and experience than most rogue hackers possess. So far, the top five largest banks in the United States have proven themselves resilient to these threats. Hackers and cybersecurity experts alike understand that the country's 4000+ small banks may not fare as well. Those small banks account for over one-third of all commercial banking assets. According to the Federal Reserve Bank of New York's report, the interconnected system between large and small banks is highly vulnerable to cyberattacks, with their damaging second and third-order spillover effects for other institutions. The report identified a set of small banks that might threaten the solvency of one of the five most active US banks. Cybercriminals can realize this cascade effect simply by coordinating an attack on six small banks, each below $10 billion in assets. A successful cyberattack on these banks could cause a "kill-chain" effect. Inter-bank wholesale funding may experience disruptions, leading to a catastrophic liquidity crisis throughout the market. There are multiple paths to this outcome, and many of them rely on the fact that it's easier to compromise multiple small banks than one large one. But catastrophic system failure isn't the only probable outcome. Risk managers and senior decision-makers must also consider the effects of cyberattacks and reputation loss on their institutions.
Reputational Damage Forces Banks to Lower Credit Standards
Small banks represent a much higher security risk than large ones. They also are more likely to face long-term reputational damage because of a cyberattack. Alarmingly, damage to a bank's reputation can also force it to lower its credit standards and take on riskier customers. An in-depth analysis of small commercial banks that suffered cyberattacks between 2005 and 2017 found that customers reallocate their deposits away from victimized banks following a cyberattack. This "flight-to-reputation" favors large banks, where customers see as being resilient against future cyberattacks. As low-risk customers flee towards more reputable banks, victimized banks attract higher-risk customers to replace their losses. On average, deposits appear to reduce by over 20% over time, while victimized banks approve roughly the same number of mortgage and loan applications as they did before the attack. Suppose victimized banks approve of mortgage applications at the same rate as they did before suffering a cyberattack, and primarily serve riskier customers because of reputational damage. In that case, it implies they must approve riskier loans to maintain the quota. In local markets with little competition, small banks that suffer cyberattacks can sometimes counterbalance reputational damage. They can do this by offering higher remuneration for deposit products. That might help them maintain or establish relationships with creditors. However, in markets where customers have more opportunities to switch banks, rates typically decrease following a cyberattack. There is no evidence for long-term reputational spillover effects of the kind described by the Federal Reserve Bank of New York at the local market level. Cyberattacks generate dangerous spillover effects towards branches of large partner banks, but not necessarily to competitor banks in the same region. Altogether, cyberattacks undermine the trust customers place in banks and cause significant reputational damage, particularly to small banks. This damage creates a cycle of adverse business effects, reducing the victim's competitive position while also forcing it to serve riskier customers.
How to Keep Small Banks Protected
The traditional cybersecurity approach of barricading systems against one another is not sufficient against the risks of today's interconnected financial environment. Zero-trust policies can play an important role when delivered through encryption, master data management, and data access audits. Encryption ensures that data is secure. Master data management (MDM) solutions consolidate personally identifiable information for users and employees, establishing a single reference point for data operations. Regular data access audits can ensure that employees and third-party vendors do not retain privileged access to data they no longer need. But banking executives and stakeholders must do more than implement best-in-class cybersecurity solutions. The vulnerabilities of the interconnected banking system create a demand for a more holistic approach to cybersecurity. Taking part in industry-wide cybersecurity information exchanges like the FS-ISAC is the best way to ensure financial markets remain secure against increasingly dangerous cyber threats.
Gradient is a cybersecurity vendor that specializes in assessing threat risk for small banks and financial institutions. Use our Cybersecurity Health Scorecard to get a categorical breakdown of your institution's cybersecurity maturity.