Virginia Bank Starts Offering Cybersecurity Services

Increasing cybersecurity and boosting revenue are among bankers' biggest concerns.

As interest rates stay low and competition remains fierce, small banks in particular have turned to new products and services to lift profits. Meanwhile, banks and other businesses have faced an onslaught of disruptive cyberattacks from groups aiming to steal data or make political statements.

TowneBank (TOWN) in Portsmouth, Va., has found a way to address each concern with one solution. The $4.4 billion-asset company recently bought a minority stake in Sera-Brynn, a Suffolk, Va., cybersecurity firm. TowneBank plans to offer information security and compliance services to commercial customers.

Businesses "can provide significant deterrents to force criminals to move on to someone else that isn't as well protected," says J. Morgan Davis, TowneBank's president and chief banking officer. "It's like putting in a motion detector and dead bolts on your door. It doesn't necessarily keep a criminal from breaking in, but it certainly helps."

TowneBank began looking into providing cybersecurity services last year after one of its merchants was hit with fraud. Client payment information was exposed and the bank began to realize its own potential liability, Davis says. Under agreements with credit card companies, banks can be held responsible if merchants fail to take proper security measures, he says.

"When you are talking about merchants, their security is absolutely full of holes," says JB Snyder, principal and chief executive at bank security firm Bancsec. "For a hacker, it can be child's play to breach a merchant's system, especially compared with a bank."

Hacking has become much easier as more work is done on employees' personal mobile devices, which may lack the necessary security measures, says Vann Abernethy, senior product manager at NSFOCUS. Workers may unknowingly pick up malware on their tablets or smart phones and an infection can then expose a company's customer or banking data.

Instances of mobile malware rose 614% in March from a year earlier, according to Juniper Networks. There are 5.6 million potentially malicious files for Android alone, with 1.3 million confirmed as malware, according the mobile working group division of the Anti-Phishing Working Group.

"A lot of companies don't have security or situational awareness of what is going on," Abernethy says. "Business owners think they can download an app and it makes their life easier," but they don't think about the security measures that must be taken.

Providing security services is another way for TowneBank to address this concern and deepen relationships with customers, Davis says. The bank already has experience running different business lines that include an insurance agency and a real estate firm. Roughly 30% of the company's profit comes from noninterest income, Davis says.

Many banks are considering ways to expand into areas such as insurance, real estate brokerage and wealth management, says Thomas Parliment, chairman and CEO at Parliment Consulting Services. With margins under pressure, banks "need to look for the ancillary sources for fee income," he says.

In the second quarter, noninterest income rose more than 5% from a year earlier, averaging $12.1 million, based on American Banker analysis of 380 banks with $40 billion or less in assets.

Noninterest income at TowneBank rose 18% from the second quarter compared to a year earlier, to $24.5 million.

Still, a small bank expanding into cybersecurity is unique, industry experts say. It gives TowneBank a "differentiator and tells clients that we have these other programs to help you with your security so you can focus on running your own business," Abernethy says.

It seemed like a natural fit since clients already "trust banks to protect their money so we hope they would trust us to protect their information," Davis says.

Still, there are pitfalls that any bank entering cybersecurity should consider, experts say. For instance, the bank must make sure that it has the right expertise on staff to provide great service, says Terry Keating, managing director at Amherst Partners.

Sera-Brynn was able to hire experienced people who were laid off from government contractors after recent spending cuts, Davis says.

Though the move also provides an opportunity to cross sell to clients, banks are rarely successful at doing so, Keating says. Often the bank does not align incentives to make sure that employees properly offer other services to the right customers.

"It can be difficult to integrate a business," Keating says. "It takes a lot of blocking and tackling."

Any bank providing cybersecurity services also needs to consider its potential exposure if a customer has a security breach, industry experts say.

If a commercial client suffers an account breach where a large sum of money is stolen, it could become a sticky situation addressing who is responsible for covering those losses, Snyder says.

"There seems to be a deeply implied liability for the bank, who claims to provide cybersecurity protection to its customers," Snyder says.

For reprint and licensing requests for this article, click here.
Community banking Bank technology M&A
MORE FROM AMERICAN BANKER