Securing customer data will be the top technology focus of community banks in the coming years, according to a survey released in October by the Independent Community Bankers of America. Security displaced concern with containing the cost of technology, which dominated ICBA's 2006 survey.
And community banks are putting their money where their mouths are, with more than half of respondents reporting that their institutions will increase spending on fraud detection and security systems. They were not asked about the amounts they will spend.
As for the technology issues they are grappling with now, the top three items cited by the 1,300 community banks that participated in the study were risk management (81 percent), protecting data and infrastructure (74 percent), and adding value to the organization (52 percent). Asked about their concerns over a two-year horizon, however, an emphatic 81 percent rated the security of customer data as the top priority, followed by keeping up with emerging technology (66 percent) and keeping IT systems available (63 percent). The comparative replies in 2006 were keeping technology affordable (64 percent), system security (60 percent), and, jointly, data security and keeping up-to-date on technology (55 percent).
"There's a real difference between the 2006 and 2008 results," observes Cary Whaley, director of payments and technology policy with ICBA. Although the Washington, D.C.-based association made a couple of minor changes to the wording of this year's questions, which might have slightly elevated data security as a response, according to Whaley, "There's definitely an increase in concern about security," he says, adding, "A customer data breach is a reputational risk."
Interestingly, among survey respondents the smallest banks voiced the most anxiety over data security: 85 percent of those with less than $100 million in assets ranked identity theft as their top concern, compared with 69 percent of those in the top bracket surveyed, banks with more than $500 million in assets. The current consensus definition of a community bank is one with $3 billion in assets or less, although ICBA's almost 5,000 members have assets ranging from $2 million to $15 billion. It polled 8,258 banks.
Hackers Targeting Small Banks?
According to Richard Winston, an Irving, Texas-based senior executive with Accenture, it's likely that community banks are under a new level of attack. "The perception is that they won't have the most sophisticated security," he explains.
Indeed, there have been some indications lately that criminals increasingly may be targeting community banks. This past summer, BS&T chanced upon warnings on the home pages of several small banks alerting their customers to phishing attempts directed at them. One New England bank that was targeted had less than $500 million in assets. Another, which is based in the South and has $2 billion in assets, was among many targeted through their service bureau, Calabasas, Calif.-based Digital Insight.
An executive with the Southern bank who spoke on the condition of anonymity, however, rebuffed the suggestion that hackers may be focusing on community banks, noting that "Many of Digital Insight's customers are large banks." A Digital Insight spokesman said the July 17 scattershot e-mails claiming to be from Digital Insight were shut down within hours and that "There were no data breaches" resulting from the phishing scheme.
Still, ICBA's Whaley acknowledges that "It's possible community banks are being targeted more because they are seen as weaker links in the chain." He notes that early phishing attempts were directed at the biggest banks. "With thieves," he says, "when one door closes -- whether it's BofA, Wells or whatever -- they are going to try every other door."
The financial crisis hasn't diminished community banks' resolve to secure their doors, Whaley adds. ICBA respondents were polled in June, but Whaley informally confirmed their commitment to spend on data security technology as recently as Halloween. Speaking at a regional clearinghouse event, at Columbus, Ohio-based Payments Central, Whaley asked audience members for a show of hands: Would they now cut data security spending? Of 50 or so attendees, "None of them are considering reducing their data security," he relates. "Most are increasing it, and the looks I got said, 'This is one of the most absurd things you could ask!' "
Full results of the ICBA surveys can be viewed at www.icba.org/publications/index.cfm?ItemNumber=3982.