Choosing a bank means more than just giving it money. Consumers must trust the institution to protect not only their financial assets, but also keep their Social Security numbers, passwords, dates of birth, and other sensitive data away from hackers. And now, trusting the bank means trusting its third-party vendors as well.
Most recent breaches at major banks have resulted from companies that the bank hired for tasks ranging from monitoring their networks to upgrading their air conditioning. For example, breaches last year that exposed customer data from Bank of America and Fidelity Investments Life Insurance didn’t come through the companies’ own servers—they resulted from a vulnerability at a service provider, Infosys McCamish Systems. Five years ago, a breach at SolarWinds, maker of a network-monitoring tool, victimized 18,000 companies, including the U.S. Treasury, the Federal Reserve, Visa, Mastercard and Credit Suisse.
Moriah Hara, the founder of Vigilance Security and the former Chief Information Security Officer at Wells Fargo Capital Markets, puts it bluntly: “Your billion-dollar budget,” she says, “is only as good as your smallest vendor.”
Financial institutions’ distinct cybersecurity challenges are why Forbes has created its first-ever list of America’s Most Cybersecure Banks. In partnership with the research company SecurityScorecard, for which Hara is an advisor, the ranking highlights the 50 U.S.-based banks with the best website security and cybersecurity infrastructure. Of course no bank is immune from breaches to its servers or those of its vendors. But these elite 50 emerged from thousands of U.S. banks for demonstrating the highest level of technical capabilities, regulatory compliance, risk management practices, board-level involvement in cybersecurity issues, and more.
Flushing Bank, a regional institution serving New York City, finished No. 1. Other smaller banks filled out the top 10 along with more familiar names such as PNC (No. 4), Discover Financial Services (No. 7) and Goldman Sachs (No. 10).
All qualifying banks (see Methodology below) were considered equally, regardless of whether they were customers of SecurityScorecard. And as with all Forbes lists, companies do not pay any fee to be considered or selected.
Aleksandr Yampolskiy, CEO of SecurityScorecard, says that financial companies as a sector have risen to their challenges, performing “as good as any” overall and “demonstrating an exceptional commitment.” Nonetheless, when the Securities and Exchange Commission strengthened its public reporting requirements last fall by requiring all publicly traded and otherwise tracked companies (brokerages, for example) to report significant incidents within four days, the new rules encouraged swifter communication of supplier involvement as well. Companies also now must address cybersecurity issues at the board level.
Despite the rules’ clear benefits, Randal Milch, professor of practice at New York University Law and co-chair of the NYU Center for Cybersecurity, says they might also have a downside. They could make scapegoats of companies’ chief information security officers.
“This need to hold people, to hold businesses, accountable—I really liken it to going on the battlefield and shooting the wounded,” Milch says. “I think that we’re going to enter an era where there’s going to be less positive movement, because of over-regulation and the desire for retribution.”
A.J. Grotto, an advisor to both the Obama and Trump White Houses on cybersecurity policy, says that in an environment where nation-states see virtual bank robbery as a way to fund nuclear missile programs, every financial institution is a potential target.
“The North Koreans have gone after other banks,” says Grotto, now a research fellow at Stanford University Cyber Policy Center. “They’ve gone after cryptocurrency exchanges and wallets. Their desire is just to raise hard cash.”
Tom Doughty, CISO at Generate:Biomedicines and another SecurityScorecard advisor, says that attackers’ use of artificial intelligence is also increasing—particularly to create fake emails that seem ever-more legitimate to dupe customers and employees into transferring money or giving access to accounts.
“The business email compromise attacks can become, and have become, much more convincing in the specific context of what a recipient might expect to get from a known business partner,” Doughty says.
A rising concern in cybersecurity circles is the increasing sophistication of ransomware attacks, where hackers deploy malicious code to hijack data and coerce companies to pay to get it back. Hackers may threaten to release the data publicly or to tattle about their breach to regulators, and even say they’ll exploit the personal data of corporate executives.
Jim Dempsey, a lecturer and expert on cybersecurity at the University of California-Berkeley School of Law, says bank CISOs face serious career and personal threats.
“Between the ransomware actors and the nation-state attackers,” Dempsey says, “it’s a very daunting environment.”
METHODOLOGY
Created in partnership with the research company SecurityScorecard, Forbes’ first-ever America’s Most Cybersecure Banks list ranks the top 50 U.S.-based banks whose website security and cybersecurity infrastructure make them best-in-class. These elite institutions were identified from the thousands of U.S. banks for demonstrating the highest level of technical capabilities, regulatory compliance, risk management practices, board-level involvement in cybersecurity issues, and more.
To be eligible for the list, each bank had to be: U.S-based; publicly-traded; earning a minimum annualized revenue of $100 million; the subject of no publicly reported breach in the past 12 months; and the recipient of at least a “B” SecurityScorecard rating for the past 12 months. All qualifying banks were considered equally regardless of whether they were customers of SecurityScorecard. And as with all Forbes lists, companies do not pay any fee to be considered.
SecurityScorecard’s publicly-available ratings already consider a wide range of factors, such as breaches, vulnerabilities, the speed of applying patches, regulation compliance, and even hacker chatter about possible exploits. But Forbes’ list goes several steps further. In consultation with a panel of industry Chief Information Security Officers, additional categories include patching cadence (days taken to fix potential vulnerabilities); the presence of a CISO (or equivalent) for the previous 12 months, with a bonus for that CISO having at least 10 years of industry experience; and the presence of a cybersecurity professional on the company Board of Directors.
For questions about this list, please contact listdesk [at] Forbes.com.
