No One's Safe from Cyberattacks: Former Wells Fargo CIO

All banks, regardless of size, must invest more in technology despite shareholder pressure to cut costs, according to former bank executive Victor Nichols.

The recent cyberattack on JPMorgan Chase, and potentially other banks, highlights the need for the added investment, said Nichols, who recently joined the board at Bank of Hawaii in Honolulu partly for his technology expertise.

"What we're learning from these attacks is that everyone is susceptible and no one is safe," he said.

Nichols should know. He was Experian's chief executive of North America and president of global consumer services. Before that he was chief information officer at Wells Fargo.

At Bank of Hawaii, Nichols said he is expected to regularly advise a management team that already understands technology.

"They have some very strong touch points when it comes to being safe and secure with privacy," Nichols said of the $14 billion-asset company. "Technology plays into their business model strongly."

Nichols, in a wide-ranging interview, also discussed readiness against cyberattacks, core systems upgrades and the need for periodic third-party reviews. Here is an edited transcript.

What did you think when you first read about the cyber attack? It appears to be a coordinated attack on financial institutions?

VICTOR NICHOLS: I was curious to see exactly how, if it is malware, it got implemented into the environment. Chase is well-known for working to prevent this kind of thing, so it's a concern to understand the details behind it. My immediate fear is that, once again, it's linked to some interaction with a team member or a vendor. That's a trend we're seeing. It seems like it always links back to a team member or a vendor.

What's the best way to defend against these attacks when it seems employees are often the entry point?

Team member security training needs to be more constant and more vigilant. This is no longer an annual reminder to employees to be vigilant. It needs to be a daily part of life. Every time someone logs into the system, hit them with something that causes them to think about security.

Is an institution the size of Bank of Hawaii vulnerable to these kinds of attacks?

Bank of Hawaii invests in security as much as anyone, but what we're learning from these attacks is that everyone is susceptible and no one is safe.

There’s ongoing discussion in the industry whether banks should spend big to upgrade technology. At the same time, cost control is a concern. What is your philosophy?

My feeling is that they are both semi-correct. You need banks to evolve to serve their constituents well — investors, their communities and certainly their clients and consumers. To do that, you have to continue to make investments in technology, but you have to do it in a way to serve the other constituents. There has to be a return on the investment and a return on the value that you will deliver to customers. It's not a simple decision of whether to invest or not.

What is the most important aspect of technology banks should address?

There are so many components that are interrelated. You can't say it's all about mobile, or all about security, or all about moving things to the cloud. It's got to be all of those things in a bit of balance and it even includes the data center and operations. That's one of the real keys to managing technology correctly. Certainly there are the hot spots like mobile or digital, or trying to do things in the cloud. As we pursue those, there have got to be complementary investments. It's really a combination.

Do you think U.S. banks will soon start to convert their core banking systems to platforms like Tata Consultancy Services' Bancs platform, similar to what has been done in Europe, Australia and elsewhere?

That's in vogue right now, and especially from the large consulting firms that are playing on that. Consumer behaviors in Europe are very different than the demands here in the U.S. Some of that will play through, especially on the mobile and digital interface fronts. I don't think it will be a massive change here to adopt those practices. That's not to say the American consumer isn't moving towards digital or mobile. That's absolutely happening, but it's not as focused as it might be in some other countries.

Should banks always hire an outside consultant every few years to evaluate their technology?

They should hire one every so often, but not always. If you have things that appear to be higher risk or have things that are complex, you can benefit by having the opinion of outside parties. You may not always agree or take that advice. There is no right answer for one right architecture. There are multiple ways to go and try to make sure what you are going to implement is going to be addressed all through the machinery of technology. And having more opinions is especially helpful.

For reprint and licensing requests for this article, click here.
Community banking Bank technology Consumer banking
MORE FROM AMERICAN BANKER