It is well-known that community banks have been the backbone of America’s financial services economy for years. They maintain a vast amount of the U.S. lending market, including residential mortgages, small business loans, and the agricultural space. But it is also well-known that community banks have been hit hard in recent years—both due to burdensome regulation and last decade’s recession.
To be precise, community banks’ share of U.S. banking lending markets and assets hovers around 20 percent today. In 1994, it was more than 40 percent. It is estimated that the recession of 2008 decreased community banks’ market share by roughly six percent, but what seems to have been even more detrimental (at least on its face) is the passage of Dodd-Frank.
Since that bill was passed in the second quarter of 2010, the market share rate of decline for community banks has doubled when compared to the 2006-2010 timeframe. Perhaps most troubling is the fact that this decrease is happening in the larger markets most vital to community banks, including small business loans and mortgages.
Now is not the most opportune time for community banks to have to worry about yet another threat, but the troubling truth is that there is a rising concern that could trump all others if community banks are not properly prepared: hackers and the ongoing cyber war for customer information. Of course, it is the big banks like Bank of America, Goldman Sachs, and JP Morgan Chase that dominate the headlines, but smaller banks are much more at risk to cybercriminals hoping to hack into the U.S. financial system.
Yes, community banks’ chief concern is to keep their customers’ (and their employees’) information secure. But the issue goes far beyond simply guarding against a possible—if not imminent—cyber attack aimed at stealing sensitive information. Community banks are naturally a broader target due their sheer number, and their connectivity to other, larger banks.
This last point is key: hackers are targeting community banks not simply to steal their information, but as a stepping stone to reach a larger, more valuable pool of data. In other words, even if your bank isn’t the victim of an initial attack, a hacker can use another, smaller, more penetrable bank as a bridge of access into yours.
So what can be done? Naturally, an aggressive security firewall is necessary, but there is an often overlooked element of the process that is important as well: a communications strategy. This strategy should not just be drafted and implemented with local media in mind—employees, customers, potential customers, shareholders, and other banks also are key audiences and third parties that should be factored into an incident response plan.
Cyber attacks happen quickly, and before a bank can properly regain its footing, it is left trying to answer difficult questions like “How did this happen?” and “How many people does this effect?” Before you know it, the situation has spun out of control and there is no plan in place to contain it. When considering where to start with your communication plan, consider the following goals:
- Always aim to convey all the facts of any incident (and no more than the facts) directly and personally to your key audience(s)—while striking an appropriate calm, non-alarming tone.
- It is important to demonstrate genuine care and concern as well as a commitment that you are taking any issue seriously, without painting a graver picture than is warranted.
- Protect those who are potentially affected by an incident, and clearly demonstrate the actions you are taking to prevent it from happening again.
Banks—especially community banks—are some of the most targeted institutions for hackers. They naturally hold large amounts of money and sensitive information, but most also offer online and mobile banking and ATM services that open up other avenues to ambitious cybercriminals. Community banks would be wise to understand the wider impact fully a cyber attack could have, not just for themselves and their customers, but on other banks and the U.S. financial system as a whole.
That’s why it is imperative to start actively outlining, testing, retesting, and constantly updating a communications strategy now before you are ever asked, “Why didn’t you see this coming?”
Robert Gemmill is a Vice President in LEVICK’s Litigation practice and a contributing author to Tomorrow.