As attacks against small-business bank accounts rise, an increasingly hot-button topic is who is responsible for the losses.
Consumers are covered by their banks, but many small-business owners wrongly assume they are covered. In response, some banks are stepping up publicity around their education and cyber response programs in hopes of heading off losses.
"These are important for security and to build trust between the bank and the client," said Nancy Atkinson, a senior analyst at Aite Group.
Bridgit Chayt, the senior vice president for global corporate products at Comerica Inc., said the Dallas company has a program to share best practices around password protection and phishing.
"Customers have always looked to banks for best practices on controls to prevent fraud," Chayt said. "We try to keep the awareness message in front of them. If you see something every day, you can become immune to the message."
That diligence is important because even Comerica, with all its education and response processes in place, can get ensnared in account theft controversy. Experi-Metal Inc. in Sterling Heights, Mich., filed a lawsuit against Comerica this year after a 2009 phishing attack circumvented the bank's two-factor authentication system and thieves stole more than $500,000.
The lawsuit charges that Comerica primed customers to become phishing victims by routinely asking them to click a link to update the bank's security technology. An EMI employee fell for a phishing scam that spoofed Comerica and claimed the bank needed to carry out scheduled maintenance of the banking software, according to the lawsuit.
Atkinson said the biggest problem for Comerica is reputational risk, but the suit could have broader implications. By law banks have to offer "reasonable" security, but that term is open to interpretation, Atkinson said. "This lawsuit will probably set the stage for what reasonable is."
At Comerica, whose officials declined to discuss the lawsuit, "30% of the bank's business customers have been with the bank for more than 20 years, and" the education and cyber response programs "are helping us remain successful in a tough environment," Chayt said.
An aspect of the Comerica program that has been a particular success, Chayt said, is an annual gathering where a hundred or more Comerica business customers swap war stories and share best practices. "They really appreciate the chance to talk to other customers," Chayt said.
George G. Surdu, an executive vice president and Comerica's chief technology officer, said that along with the educational program to help head off fraud, the bank has a cyber-incident response team that's poised to move swiftly when a breach of any sort is detected. The so-called "event management program" has four elements: event notification, triage, response and lessons learned.
What makes the team work, Surdu said, is having a clear communication structure that broadcasts trouble and assembles the core team. "The roles and responsibilities need to be clearly defined so we're working in lockstep."
The initial event notification that puts the cyber-incident response team into motion can come from anywhere in the bank: through the business side where fraud is suspected or uncovered, through the security team itself or through some reported anomaly detected on the technology side. No matter where the tip comes from the team mobilizes quickly through predefined call trees and audio conferencing to triage the situation and set priorities.
In the response stage the team breaks into two parts. There's a "technology bridge" in which team members assess the technology implications of the breach, asking what kind technology was behind the breach, what vulnerabilities did the technology exploit, and how and why it succeeded.
The "business bridge" team members, meanwhile, address the business implications of the breach. What processes need to be changed and who at the bank and among customers needs to be told? All these questions help to "define a set of actions," Surdu said.
Finally, there is the what-have-we-learned phase.
Surdu said that "virtually every event is different," so there's almost always a new takeaway to improve the process.
Even when the event is routine "we still go through the lessons-learned phase to keep ourselves fresh and alert," he said.