Preventing Cyber Fraud – Video
The COVID-19 pandemic no doubt saw an increase in fraud exponentially during 2020, and cyber fraud specifically has continued to increase at the same pace during 2021. The continued remote workforce and increased online consumer activity make this the perfect storm for illicit actors.
What can financial institutions do to prevent and detect cyber fraud? The first thing would be to perform a cyber fraud risk assessment. This type of risk assessment is most likely new to the financial institution, but now that fraud is listed as one of the eight FinCEN AML/CTF priorities, it may be time to include this as part of the BSA/AML enterprise-wide risk assessment.
Once completed, the risk assessment should be something that a BSA professional would present to the Board, executive management, and other stakeholders such as IT security. If the evaluation indicates that the department needs more resources or improved technology to save hard dollar fraud losses, this will be the starting point for the business case.
The next step in improving an institution’s fight against fraud is to assess its infrastructure and cybersecurity program. A gap analysis is critical to understanding any further fraud mitigation that may be needed. If the BSA officer finds any gaps, do they need to increase mitigation, or is the institution’s risk tolerance enough for that risk? The answer to this question will differ among financial institutions and should come from senior management.
When thinking about the risk tolerance for a financial institution, it is usually considered a hard dollar loss. If the institution loses a couple of thousand dollars, will they lose sleep at night? The financial institution may have a risk tolerance for that amount, maybe more, maybe less. However, when we're talking about national security, terrorist financing, cyber-attacks shutting down the economy, halting the U.S. energy supply or food chain, cyber-attacks and cyber fraud are much more than a hard dollar loss. Institutions should consider what its true risk tolerance is for cyber fraud, including its reputational risk. Most financial institutions have almost 0% risk tolerance for these more severe threats.
Establish the enterprise-wide security policies and procedures; that's important. Institutions have them, but are they thorough enough?
Ensure cyber fraud reporting is compliant
The next step would be to implement an audit trail to log all security threats for forensic evidence. Ensure that the financial institution reports all cyber fraud to FinCEN as required under the suspicious activity report (SAR) requirements.
Include cyber-attacks in the business continuity or disaster recovery plan. What if an attack, such as ransomware, brought an institution’s systems down completely? What if the attack is so severe that it takes six months to get back up and running? Adjust the business continuity plan to make these risk-based decisions and minimize the downtime and disruptions if a serious threat occurs.
Ensure all data is properly encrypted
The next step should by now be well-engrained in financial institution culture. Encrypting and securing data that goes outside of the organization is critical. How well is the institution’s staff trained on encryption policies? Do they remember to hit that secure or encrypt button when they are sending e-mails? Are they sending customer data via e-mail? Training and staff testing should be done to ensure solid encryption practices are being followed.
BSA officers need to continue training the staff to confirm any unusual e-mail is from the stated party and is legitimate. Training can be done by picking up a phone to verify with the sender to ensure that you don't get caught in a business e-mail compromise scheme. Another way to help deter cyber fraud is to have the staff turn off their computers each evening. Yes, there are times when night maintenance needs to be done by the IT team, but the routine practice of turning them off will stop those night prowlers from entering a system. Severing those connections is critical to halt malware or spyware on the server.
Lastly, train, train, and train the staff again. Annual training is typical, and most financial institutions do that since it is required. Staff testing may be warranted more frequently, however, since it is human nature to click away. It is not costly to test staff periodically, maybe quarterly, to ensure that the team is not letting these fraudsters into the database and IT system. Following these steps will help protect the financial institution and its customer's data.