Lacking the staffing or resources of the big boys, community banks must often rely on third-party providers to secure their Web banking sites.
But entering into such arrangements does not mean bank executives can relax when it comes to insuring the ongoing protection of Internet sites, experts warned.
"Community banks face identical security concerns to those of larger banks, with the exception that they have to rely on outside providers more, so they have to make sure those people are adequately addressing security," said Octavio Marenzi, a research analyst with Celent Communications. "You're really at the mercy of an outside provider, so there's extra need for caution."
The need for bank executives to play a greater role in Net security was underscored last fall when bank regulators issued guidelines for managing outsourcing partnerships. The Internet, regulators said, requires close attention to maintaining secure systems, detecting intrusions, developing reporting systems and verifying and authenticating customers. The guidelines said banks should conduct a risk assessment, exercise proper due diligence in identifying and selecting providers, obtain written contracts that clearly outline duties and responsibilities, and conduct ongoing oversight of outsourcing technology services.
Although aware of the risks associated with offsite Internet security, many smaller banks have no choice but to rely on the service. Even Salem Five Cents Savings Bank, one of the more innovative in Web banking, still outsources 100% of its Internet processing.
"Staffing to meet the administrative requirements of a full-blown security program does not exist," said Dawn Dillon, senior vice president of information systems at directbanking.com, the Web banking arm of Salem, Mass.-based Salem Five. Since staffing is stripped down, she added, "dependence on consultants is great and risky."
Dependence on third parties can lull banks into a false sense of security where they assume all is being taken care of by the vendor.
"Since we outsource so much, senior managers and executives can easily fall into the trap of thinking, 'We don't need to worry too much because we don't have the systems onsite,'" Dillon said. Internal attacks, whether deliberate or accidental, are far more likely than those coming from the outside, she noted.
Although core transaction processing systems are likely to withstand an attack, the risks to banks are serious.
"While affecting customer balances is not likely, even the slightest intrusion affecting something as simple as a customer name and address can cause huge reputational damage," said Dillon.
Community banks typically lack the resources of larger institutions in coping with threats, said Mike Winter, president of Vifi, an Indianapolis-based provider of technology products to community banks. That may be what leads a number of community banks to avoid even asking about security procedures.
"Many community banks are still not comfortable with online technology," said Winter.
QUESTIONS AND ANSWERS
Winter advises community banks to approach an online processor exactly the way they would a core processing platform. "You should feel that security is a priority for the vendor. Ask them the bad things too."
Any vendor should be willing to discuss potential security problems, said Celent's Marenzi. "If someone's not willing to respond to that, then you're probably not willing to go with them."
Banks should carefully study the service level agreement, including acceptable use of the bank's data and penalties should something go wrong, he added.
directbanking.com's Dillon suggests that community banks ask vendors about penetration and vulnerability tests, and what kinds of formalized review and proactive monitoring procedures the vendor has in place, as well as formalized risk assessment and complete internal audit security programs. She further suggests that the vendor provide third-party assessments of its security systems.