Shielding sensitive customer information from prying eyes remains a chronic industry challenge. But as the prevalence of security breaches grows, so do the opportunities for community banks to position themselves as guardians of their customers’ personal data through compliance, technology and relationship building.
By Katie Kuehner-Hebert
Data privacy and security is a hot topic and is only getting hotter. It has implications for everything from regulatory compliance and risk management to a bank’s ability to engender trust in its customers.
According to a 2022 study by investment and intelligence company MAGNA, 74% of consumers say they highly value data privacy. Respondents also indicated a 23% increase in purchase intent for brands and companies with responsible data practices.
For all those reasons and more, it’s imperative that community banks position themselves as good stewards of their customers’ personal data. And while they can’t guarantee there will never be a data breach, they can communicate to customers everything they’re doing to minimize incidents and safeguard customer information—and their money—as much as possible.
Here are some pointers that community banks should consider about not only current threats but also opportunities, including how they can make the most of strong customer relationships to use data in a way that provides value to both parties.
How to reassure customers that their data is protected
The privacy of customers’ personal information is at the forefront of every community banker’s decisions, says Steven Estep, ICBA assistant vice president of operational risk.
“Community bank customers can be at ease knowing that community banks take the protection of their customers’ data very seriously, and community banks are regulated by some of the strictest data privacy laws of any sector,” Estep says.
“Data privacy and security is very important to customers, as data breaches can lead to a loss of customers’ trust, a traditional core value in banking services.”
—Bob Hickok, Eide Bailly
The federal Gramm-Leach-Bliley Act (GLBA) and its implementing regulations, specifically Regulation P and the Safeguards Rule, ensure that community banks are properly securing personal information while providing customers information about control over their data, he notes.
Regulatory oversight agencies require financial institutions to have routine information security audits and cybersecurity testing, and community banks could remind customers of the security testing practices independent parties perform for them each year, says Bob Hickok, senior manager, risk advisory services at Eide Bailly LLP in Fargo, N.D.
“Those banks that have rigorous in-house vulnerability management programs in place could comment on that to provide customers a higher level of comfort,” Hickok says. “Data privacy and security is very important to customers, as data breaches can lead to a loss of customers’ trust, a traditional core value in banking services.”
Community banks could also include links on their websites for customers to learn more about privacy and data security, he says. Best practice sources include the CISA, Department of Homeland Security, NIST, FBI, FTC and links to guidance from industry leaders such as Microsoft.
“Considering the fast pace at which information security can change, [putting] customers in touch with leading experts is an easy way to provide help, as well as [show them that we understand] the concerns we all have about our own information,” Hickok says.
Mind your third parties
“In today’s mobile environment, banks and consumers have to also be concerned about who else they are allowing to access their data,” says Steven Estep of ICBA. “Many apps, such as ones that help with budgeting or peer-to-peer payments, require access in one form or another to the customers’ bank accounts. Every app that a customer provides credentials to, whether via API or directly to the app, becomes a new risk to the customer’s privacy.”
Banks should be familiar with what data these apps are collecting from their customer accounts, and customers need to be aware of the added risks they are exposing themselves to by sharing their financial data with these apps, Estep says.
7 current and emerging cyber threats to data privacy
Community bankers should always be apprised of the latest cyber threats to data privacy, says Bob Hickok of Eide Bailly LLP. “Cyber threats can change at a breakneck pace,” he says. “Attackers’ skills now are very advanced compared with even five or 10 years ago, and serious attacker groups are dramatically more skilled than 2010 and prior.”
1. Phishing continues to be the most common attack method used to start a breach. Once an employee is phished, attackers quickly work to identify vulnerabilities to exploit and gain greater privileges. “Those vulnerabilities include missing security patches and updates as we read about all the time,” Hickok says.
2. Misconfigurations can be default or blank passwords in critical network devices such as firewalls, switches, storage systems and default passwords in software. “Many vulnerabilities exploited are the result of misconfigured settings in hardware and software,” Hickock says. “Those cannot be patched, so they must be identified and mitigated to remove the ‘low-hanging fruit’ vulnerabilities.”
3. Ransomware continues to grow as a threat to data privacy. In addition to locking data to prevent access by the rightful owner, attackers’ approach in recent years has added routinely exfiltrating victims’ data prior to encryption. If the victim does not pay the ransom timely, the attackers leak the stolen data itself into the public until the victim is pressured to pay the ransom.
4. Supply chain attacks such as 2021’s breaches involving SolarWinds and other network security management tools and services continue to be effective. Such attacks can turn trusted security management tools into attack platforms with very high levels of access in the victims’ networks. Attacks on Active Directory are used to gain increased access and potentially complete control of a target company’s network, says Hickock. Active Directory attacks have become a common technique used in most attacks, following the initial compromise of a computer on the victim’s network. “As a result of COVID, many companies allow remote access connections into the network in far greater numbers than pre-COVID,” Hickok says. “This increases the likelihood of poorly secured computers connecting to the enterprise network, which, in turn, increases the company’s exposure to cyber threats.”
5. Double extortion involves bad actors not only demanding ransom to return stolen data, but also encrypting the data and then demanding payment for the decryption key. “There’s also been significant changes to cyber insurance, including increases in premiums and deductibles,” says Anna Kooi, national financial services leader in the Chicago office of Wipfli LLP. “There are also more exclusions from coverage if companies don’t have certain controls in place, such as multi-factor authentication, end-to-end detection and periodic testing of backup systems.”
6. Social engineering “is, and probably will remain, the most effective method for attackers,” says Steven Estep of ICBA. “Whether that is through phishing, vishing [voice phishing] or smishing [SMS phishing], the easiest way into a network remains through people.”
7. Undiscovered, or “zero-day,” vulnerabilities in common software are also targets for attackers, Estep says. Applying patches to software as quickly as possible is crucial in protecting data from potential unauthorized access.
The California Privacy Rights Act ripple effect
Community banks with customers in the Golden State should be well versed in the California Consumer Privacy Act (CCPA), which has led to similar laws in other states, says Tom Tollerton, principal and cybersecurity advisory at FORVIS LLP in Charlotte, N.C. “The federal government has been unable to pass comprehensive consumer privacy legislation, leading many state governments to introduce laws that would require organizations to protect personal information and limit how that information is used,” he says.
When the CCPA was enacted in 2018, it was the most comprehensive state data protection law passed to date, he says. CCPA was modeled closely after the European Union’s General Data Protection Regulation (GDPR). Like GDPR, California’s law is considered broad both in the scope of the nature of covered data, as well as the number of affected businesses.
“One of the most significant changes CPRA brings … is the establishment of [an agency] to implement and enforce rules under administrative law.”
—Tom Tollerton, Forvis LLP
In November 2020, the California Privacy Rights Act (CPRA) was passed by California constituents as a ballot initiative, amending and expanding upon the original CCPA, Tollerton says. Effective Jan. 1, 2023, the new law will broaden the definition of covered data and expanded consumer rights, including a private right of action in the event consumer rights are violated.
“One of the most significant changes CPRA brings to the California privacy law is the establishment of a California Privacy Protection Agency to implement and enforce rules under administrative law,” he says. “There are also significant obligations to which businesses must adhere, including increased transparency on the use of third-party processors and data storage limitations.”
California’s data privacy law only applies to for-profit businesses with a gross annual revenue of over $25 million; that buy, receive or sell the personal information of 50,000 or more California residents, households or devices; or that derive 50% or more of their annual revenue from selling California residents’ personal information, says Estep of ICBA.
“While the CCPA does provide a data-level exemption for financial information covered by GLBA, it does not provide an entity-level exemption and significantly expands on GLBA’s definition of personal identifiable information, including geolocation data, internet activity, biometric data and inferences that can create a profile about a consumer,” Estep says.
Any business that has basic interactions with a California resident, including collecting website cookies from a California resident, may fall subject to CCPA, he says.
Other regulation around consumer data
Other states have enacted similar data privacy laws since the California Consumer Privacy Act came into effect, including Utah, Colorado, Virginia and Connecticut. Each of these states provide a full entity-level exemption for financial institutions governed by the GDPR.
The Federal Trade Commission recently updated the Safeguards Rule to now have oversight governance on nonbanks, including mortgage brokers, finance companies and auto dealerships, according to Anna Kooi of Wipfli LLP. “Community banks that partner with such nonbanks should conduct due diligence and regularly check to ensure the third parties are complying with the Safeguards Rule,” she says.
Cybersecurity education matters
Did you know?
of consumers say they understand the value in sharing data with brands under the right conditions, such as when they want to learn about new products
For many years, regulatory and industry best practice recommendations have included the need to educate customers, as well as bank employees, regarding data security, says Bob Hickok of Eide Bailly LLP.
Education topics for customers, as well as employees, should include:
- Best practices for passwords—long, strong, and never reuse passwords on multiple Internet login accounts
- Ways to identify phishing emails and other social engineering threats
- Monitor credit reports and bank account activity to timely identify and prevent fraud and identity theft
- Financial abuse and exploitation of elders
- Email account compromise and attackers’ exploitation by using breached accounts
- The need to keep operating systems and other applications current with software security patches and updates
- The need to uninstall software that is end of life and no longer supported with vendor security patches. No security updates are available to plug security holes found in these unsupported versions of software.
Many community banks have held or sponsored customer and community education events. Shredding and disposal events for customers to securely dispose of paper and electronic storage devices (CDs, DVDs, disks, etc.) are often popular.
“Training employees regularly is crucial to promoting a strong culture of cybersecurity,” says Steven Estep of ICBA. “Banks should consider training on basic concepts of cyber hygiene, training on new and emerging threats, and job-specific training.”
Balancing marketing personalization with data privacy
Consumers are often willing to give up bits of their personal data in exchange for useful content, discounts and other personalized marketing offers. In fact, 83% of consumers say they understand the value in sharing data with brands under the right conditions, like if they want to learn about new products, according to MAGNA.
So, what are some useful tips for creating meaningful marketing material that makes it feel worthwhile for the consumer?
To prevent “creeping people out,” community banks should make sure customers understand what it means to give permission to “give up” their data, says Anna Kooi of Wipfli LLP. “We all know now that whenever we are talking to someone on our phones, that if we mention something, like an upcoming raft trip in Colorado, we’ll then see ads pop up on our phones,” she says. “However, knowing that we’re giving up data and that others are using that data is a different thing.”
Community banks should clearly communicate to customers how their data could be used and should also make sure that any personalized offer that may pop up on phones, tablets or laptops is structured in a way that the customer doesn’t feel like they’re just being “sold,” Kooi says.
“They could lose trust otherwise, so banks have to be very careful how to do that.”
Katie Kuehner-Hebert is a writer in California.