At Hamilton Bank, a Towson-based financial institution with seven branches, cybersecurity used to be one employee’s part-time job a few years ago and an outside security company would come in every three years for a couple of days to check the security systems. Today, the security team includes three well-trained employees, and that outside company tests the bank’s systems every year for two weeks.
“Security used to be a very minor expense,” said Hamilton CEO and President Bob DeAlmeida. “It’s a major line item in our budget now.”
The 24-branch, Oakland-based First United Bank and Trust, meanwhile, has invested in sophisticated cybersecurity technology, regularly trains employees at all levels to be wary of cyber threats such as phishing, and does regular assessments of its anti-hacking protections and its response to threats.
“We’ve invested in all of the three pillars (of cybersecurity) – prevention, detection and response,” said Matthew Growden, vice president and chief information officer at First United.
And since it opened 14 years ago, the now-21-branch, Baltimore-based Howard Bank has at least doubled cybersecurity spending, elevated information security to a senior position and instituted training and testing of employees with simulated cyberattacks.
“This is a big deal in the industry,” said Howard Bank founder, Chairman and CEO Mary Ann Scully. “We’ve had to add layers and layers and layers and staff and vendors and so on, to do our best to combat it.”
Like their counterparts across the country, financial institutions of all sizes in Maryland have awakened to the need to protect against hackers and other cybercriminals, a threat that haunts all businesses, but is especially critical for banks.
A recent blog from ISG Technology, a Kansas IT service management company, called cybersecurity the top concern of financial institutions both large and small. In 2017, the blog noted, the financial services industry was the “most targeted industry” for the second year in a row.
A September column in the Harvard Business Review, meanwhile, suggested that the next global financial crisis might well come from “a cyber attack that causes disruptions to financial services capabilities, especially payments systems, around the world.”
Local bank managers and cybersecurity specialists don’t argue with those assessments.
“Financial systems run our world, from large enterprises to individual consumers,” said Gregg Smith, CEO of Attila Security, in Fulton, which provides cybersecurity to government agencies and businesses. “Protecting their assets and the way everything works is vital to our daily lives. … Cybersecurity is paramount for banks.”
The good news for anyone who uses a bank is that the experts also agree that financial institutions tend to do a better job at cybersecurity than just about any other industry. And statistics bear that out.
The most recent report on breaches by sector from Statista, an online research and intelligence service, found that in 2017, only 1.7 percent of all data breaches in the country were in the banking/credit/financial sector. (The health-care sector led the way with 23.7percent of all data breaches.)
More local figures are not available, but none of the local bankers or state security experts could recall a breach at a Maryland bank, and those experts had nothing but praise for the cybersecurity efforts of banks here.
Smith said Attila Security works with a number of financial institutions and that those institutions generally “do an outstanding job of protecting assets … I’ve been doing cybersecurity a long time, and they are one of the leading market segments in protecting the assets they are accountable for.”
Stacey Smith, executive director of the Cybersecurity Association of Maryland Inc. (CAMI), a nonprofit organization that supports the state’s cybersecurity industry, said that banks “are in many ways ahead of the curve in having cybersecurity processes and procedures in place. … Financial institutions are the ones that are doing the most and investing the most to be secure.”
Kathleen Murphy, president and CEO of the Maryland Bankers Association, said banks have good reasons to focus on cybersecurity.
“People need to know their financial information is protected, they need to have that confidence,” she said. “That’s the bedrock on which we (the banking industry) was founded.”
Besides needing to keep the trust of their customers, banks have another reason for keeping their assets safe, Murphy and others said. Federal and state regulations governing the banking industry, which always have been among the tightest in the country, have tightened even more in the past few years as a result of cyber-threats and some successful hacks. Banks can be fined, lose their charter and otherwise punished if they don’t follow the tight cybersecurity regulations.
As concern about cybersecurity has mushroomed, private companies have stepped in to help, as have banking organizations like Murphy’s, with advice, seminars and more.
This fall, for example, the MBA organized two education events for community bank directors and trustees, and both included a special session entitled, “Staying Ahead of Cybersecurity.”
The less-than-good news about banks and cybersecurity, the experts say, is that cybercriminals still view financial institutions as tempting targets. And those increasingly sophisticated and determined criminals are a far cry from the grammar-deficient barristers of years ago who emailed people at random offering fabulous business opportunities for a modest fee.
Darrell Laffoon, CEO of EZShield+IdentityForce, an identity protection company in White Marsh that works with a variety of banks, agreed with the other experts that financial institutions tend to do a very good job of protecting themselves and their customers.
“But when it comes down to protecting yourself against cybercrime, you can never fall asleep,” Laffoon said. “Criminals are always trying to innovate. And there’s always a way to get the data.”
CAMI Executive Director Smith, asked whether Maryland Banks are well-protected, said: “I don’t know but I sure hope so. I hope that they’re taking it very seriously and investing what’s needed.”