Under Pressure, Small Banks Outsource Security

Facing increased pressure to improve their data security, a growing number of small and midsize banks are looking for outside help.

Some have outsourced the entire job of information security management. Others have created new positions in-house to oversee data security, but are shifting much of the compliance tasks to systems hosted by vendors.

Whatever lengths they go to, more companies will consider outsourcing, observers say, as auditors and regulators step up their efforts to ensure that banks of all sizes are safeguarding financial data.

At small banks, the chief information officers have typically been responsible for making sure the networks and systems are all working properly and for ensuring that the technology and data is well protected.

But Ratna Ray, the chief information officer at the $1.6 billion-asset Rockville Bank in Connecticut, said the growing pressure to tune up security has also made her workload heavier.

"One person can only do so much," she said.

Ray say that, because Rockville Bank already outsources much of its data processing — Jack Henry & Associates Inc., for instance, hosts its core processing — there wasn't enough work to justify hiring someone dedicated to overseeing data security issues.

"This is not a full-time position," she said.

Instead, following the recommendations of examiners and her own belief that the info security function required an independent position, Ray last year hired a local consultant the bank had worked with in the past, John DeMauro, as a part-time nonstaff information security adviser.

DeMauro had the right combination of skills — a knowledge of risk management and security, as well as bank technology — that Rockville Bank needed, Ray said.

DeMauro's services go beyond monitoring data logs and risk assessment to include reviewing the bank's policy and procedures, even employee training, Ray said. "The FDIC was actually impressed. They said, 'That's a very good process you have. You're really getting your money's worth.' "

DeMauro calls himself an "outsourced information security officer," and said he has a dozen clients. He launched his own business, Practical Security Solutions LLC, in February.

"A lot of these smaller banks are struggling in developing their information security programs," DeMauro said, noting that regulators have progressively tightened their security requirements over the years, starting with the nation's largest banks. "Eventually that pushed down to the smaller banks as well."

Regulators have generally supported the outsourced approach, DeMauro said. "So long as the skill set is appropriate and the contracts are well designed, they have no issue with it."

Other banks are keeping the information security job in-house but are using automated tools developed by vendors to monitor compliance.

Wayne J. Leiss, a vice president at Union Savings Bank, a $1.8 billion-asset thrift in Danbury, Conn., moved into a new position in January, as its information security officer.

"Regulators are looking for a dedicated security person. It's a new position we're fleshing out here," Leiss said. "It's been an internal recommendation from our accountants and auditors to put in place for a couple of years."

Union Savings had been an early user of Perimeter Internetworking Corp. for data security, so Leiss was willing to take the meeting when Andy Greenawalt, a former chief technology officer at Perimeter, came to talk about his start-up company, Continuity Engine, Leiss said.

Greenawalt, the founder and chief executive of Continuity Engine, said his work on the operational issues of data security exposed him to the intricacies of regulatory compliance.

"We grew an appreciation of how complicated it was," he said. So far, his company, founded in 2008, has developed four dozen individual modules that community banks can use, for issues as diverse as managing human resources policies and IT change controls.

"There's nothing sexy about this," Greenawalt said. The vendor's hosted service lets bankers make assignments for specific work items, set review periods and maintain audit trails of what they have done — "not the delivery of it, just the management of the policies and procedures," Greenawalt said.

Such an approach can help bankers address the concerns of auditors and regulators, he said. "Showing the document is only so interesting," he said. Regulators also want to know, "Did you do what you were supposed to do?"

Leiss said Union Savings began testing Continuity Engine's preconfigured modules, called ActionPacks, last week and it was too early to talk about results.

Rodney Nelsestuen, the senior research director of the cross-industry practice at TowerGroup of Needham, Mass., an independent research group owned by MasterCard Inc., said the pressure for banks of all sizes to shore up their data security will only intensify.

As larger banks manage data security more tightly, regulators likely will increasingly encourage smaller institutions to do the same, Nelsestuen said. "I think you're going to see more emphasis on internal controls, separation of duties and discipline around those things."

Even the smallest banks are beginning to feel the pressure.

Desiree Erickson, the IT/security officer at the $131 million-asset Sound Banking Co. in Morehead City, N.C., calls herself "your hands-on help desk" who handles all of the technology needs for the bank's 30 employees.

She said examiners have suggested that the bank delegate some of her functions to another person, a move that would improve oversight of its data management policies.

But the bank has countered that it is too small to hire someone to take on these tasks. "With the size we are right now, we have the ability to say the cost is not feasible for us, especially in the current environment," Erickson said.

Michael Menefee, the president of the Raleigh consulting company Wirehead Security LLC, said community bankers are taking more notice of data security issues, especially in the light of high-profile breaches, such as the theft of payment card information from the processor Heartland Payment Systems Inc. His started his company in January and provides services to Sound Bank.

The Heartland breach was disclosed in January and "was very visible to" community bank executives, he said.

"They had to bear the cost of that third party's breach," Menefee said. "What has changed is that they're getting more serious about security itself and not just the compliance aspect of it."

Menefee said that he has not yet seen greater pressure from regulators on community banks, but that he believes they need to ratchet up their security efforts.

"It's something smaller rural banks and credit unions are going to have a difficult time doing," he said. "It's a really big step I think the banking industry needs to take."

For reprint and licensing requests for this article, click here.
Bank technology Community banking
MORE FROM AMERICAN BANKER