The Federal Reserve Bank of Boston has provided the New England region’s banks a safe space to discuss cyber threats. The FRBB’s second annual Cybersecurity Conference, held this year on May 1, is the most recent event in its program to address and combat cyber threats.

The program, conducted by FRBB cybersecurity experts, is independent of its supervisory oversight of banks, said Jasvinder Khera, FRBB’s lead security systems engineer, a conference presenter. The FRBB’s non-disclosure agreement facilitates information sharing among bank peers, a vitally important cyber-defense component. The Cyber-Threat Sharing Forum, which runs throughout the year and targets small- to midsized banks, meets once a month in person and every other week in a virtual format.

With more than 60 participating organizations with 100 individual participants, hailing from all over New England, the Cyber-Threat Sharing Forum has expanded to the point where it has become unwieldy to have them all at a face-to-face forum in Boston. The FRBB intends to established satellite locations where participants can view simulcasts of guest presentations at a more regional level. No confidential participant information is conveyed during the simulcast.

Knowledge Is Power

Program participants report faster reaction times during cyber incidents, more proactive risk management and improved resource management, and a trusted peer network. That’s critical, said Khera. A malicious actor uses the same tactic on more than one financial institution, and the sooner knowledge of that tactic is shared, the shorter the window of opportunity to strike multiple targets.

In their conference presentation, Khera and his colleague Michael Rodehorst, FRBB assistant vice president and information security officer, revealed survey results showing that 84 percent of conference participants sent their data to third-party vendors for processing or storage. “I was expecting that [number] to be higher,” Khera told Banker & Tradesman. With more companies gravitating toward cloud storage and away from physical servers, security risks are heightened. “It’s difficult to ensure that third-, fourth- or fifth-party vendors apply the same controls that you would,” he said.

Rodehorst added that while IT customers have the most leverage before signing a vendor contract, they must constantly monitor security issues going forward to ensure that the vendor relationship hasn’t changed over time.

Addressing vulnerabilities in products where support has ended, and usage of outdated operating systems or web browsers, is another weak spot. And even the most current vendor product doesn’t substitute for education of staff on the risks of social media and phishing tactics, he said in a video presentation.

Boston Police Detective Steven Blair advised attendees to verify transfer requests with a phone call. If a  CFO gets an email request seemingly from the CEO to transfer funds to a bank, a confirmatory phone call to the CEO is in order.

Hackers use malware to remotely monitor routine activity at their target bank, and then post fake transfer orders, costing banks around the world hundreds of millions. Syntax and formatting errors can give away the ruse, but only if the people viewing the requests pick up on them.

“If we believe that cybersecurity is an IT challenge with only IT solutions, we’re neglecting the human element,” said Daniel Hoffman, a former U.S. intelligence officer, in a video presentation at the conference.

A Breeding Ground For Mischief

John Ayoh, director of information technology at the Central Bank of Nigeria, provided a vivid look at the human cyberthreat factor. Nigeria is the largest economy in Africa, heavily oil-dependent. Diversification is proving to be difficult. Cash transactions have been largely supplanted by technology; a staggering 92 percent of money transactions were done via technology in 2016 in Nigeria. The overwhelmingly young population (median age 18.2 years – half the U.S. median) and high unemployment have led to a ripe breeding ground for cyber mischief, Ayoh indicated in his presentation.

“The propensity for young people to use technology for the wrong reasons is higher,” he said.

He called for stakeholders from the Nigerian government and the legislature to come up with a plan to address cyber-threat risks.

Another presenter, Don Anderson, senior vice president and CIO at FRBB, indicated in an interview after the conference that Nigeria poses as much opportunity as threat. “They don’t have the stability and legacy of their banking system [as] we do,” he said. With so much financial activity occurring on mobile devices, Nigeria could “leapfrog” to create a more-developed structure. He called it “an explosive opportunity,” adding, “Security built in from the ground up – that will be the talk for the next couple of years.”

Editor’s Note: This story has been updated to clarify the relationship between the FRBB’s Cybersecurity Conference and its Cyber-Threat Sharing Program. It has also been updated to reflect that the FRBB intends to establish satellite locations for guest presentation viewing; it has not yet done so.