The predator-prey relationship on the African Savanna is quite dramatic and conspicuous. The animals that take part are some of the most popular in the animal kingdom. The star predators are, of course, lions, but leopards, cheetahs, and crocodiles also get time in the spotlight. Gazelles, wildebeest, and zebras are popular players in the role of pitiable prey. You may have noticed that elephants, rhinos, and hippos are rarely preyed upon. Why? It’s quite simple. Size. These animals are just too big. Even if you are a fierce 500-pound lion (a veritable giant in the predator world), you just aren’t going to want to mess with a 13,000-pound elephant, no matter how hungry you are. Now what does this have to do with financial institutions? Well, if you’re a cyber criminal—even if you’re a really good one—you’re probably not going to go after one of the financial institution giants. Why? Because the large institutions put up enough defenses to make being a criminal difficult. Instead, you’d start looking at different targets. And one particular class of targets that may not result in a big score, but still provide a decent payday for the bad guys, is smaller financial institutions.
Hence, while most of the cybersecurity talk is focused toward large financial institutions, what governing dynamics theory tells us (and what we’re hearing from regulatory agencies) is that midsize and smaller institutions are actually more attractive targets because malefactors presume that their security measures may not be as robust and they are not being pursued by other predators. So, small or mid-size institutions—this one’s for you.


What are the potential consequences of a cyber attack? The list may be short, but it is chock-full of detrimental consequences:

  • Data compromise
  • Identity theft
  • Transactions blocked
  • System crash

These consequences might actually be more disastrous for smaller institutions than for larger institutions for the same reason that smaller institutions are an “easy” target—a smaller staff or smaller budget might get completely put out by any of kind of data breach.

What Can You Do?

Here are seven suggestions to help an institution build up its defenses and become less appetizing to predators:

  1. Maintain a current cyber risk assessment. Based on the risks identified in this assessment…
  2. Implement appropriate risk-mitigation controls. Look closely at vendor due diligence to make sure that contracts, where appropriate, give you the opportunity to:
    1. Review the third party’s security and response policies;
    2. Review the third party’s audit reports and the responses they make to any findings that are described in report; and
    3. Ensure that the vendor will immediately notify you if there is any breach of their system.
  3. Create or enforce a strict password policy. It might be a good idea to have a regular schedule for creating new passwords and to ensure that passwords are not written down via unsecure methods or shared between employees when inappropriate.
  4. Manage patches—meaning the implementation of a timeframe that indicates when and which “patches” (security updates) should be applied to which machines/applications.
  5. Assess whether you have network monitoring systems adequate to mitigate risk you’ve identified in your risk assessment.
  6. Write cyber attack response procedures. In the event that you experience a cyber attack (and we hope you don’t) written procedures ensure you’re ready to make an appropriate and timely response.
  7. Practice the response procedures. Doing this will make sure your staff is familiar with them and can effectively carry them out.

Information Security Program

In addition to these practices, the FFIEC suggests that every institution should implement an information security program. A strong information security program can be just what a smaller institution needs to keep cyber criminals at bay.Here are the four areas your information security program should focus on:

1. Risk Identification

Risk is generally divided into categories, and one of these is operational risk. Operational risk is the risk of failure or loss resulting from inadequate or failed processes, people, or systems. Both internal events (such as human errors, misconduct, and insider attacks) and external events (such as natural disasters, cyber attacks, changes in market conditions, new competitors, and new technologies) affect operational risk.
An effective information security program includes processes to continuously identify threats and vulnerabilities from both internal and external events. Risk identification should categorize threats, sources, and vulnerabilities to determine the institution’s risk profile.

2. Risk Measurement

A good risk measurement process effectively determines how much risk a threat or vulnerability poses to an institution. Threat analysis tools also help in understanding and measuring risk information. Some of these tools include event trees, attack trees, and kill chains. These tools help to break down an event into different stages and better understand the event.
In addition to threat analysis tools, a method of categorization for security-related events can help with the following:

  • Mapping threats and vulnerabilities
  • Incorporating legal and regulatory requirements
  • Improving risk management consistency
  • Highlighting potential areas for mitigation
  • Allowing comparisons between different threats and events

3. Risk Mitigation

Identifying and measuring different risks is useless without a sound plan to mitigate those risks. An effective risk mitigation plan includes an understanding of the quality and extent of current control environment. Threats and events can be unique and often require case-by-case treatment. Your risk mitigation program should include procedures for how to tailor mitigation action to individual risks.
Obtaining, analyzing, and responding to information from various sources on cyber threats and vulnerabilities is also important. Compiling this information into a repository of cybersecurity information will help with conducting risk assessments and will help you establish cyber risk trends.

4. Risk Monitoring and Reporting

A successful risk monitoring and reporting program tracks information about an institution’s risk profile and identifies gaps in risk mitigation effectiveness. Because threats change frequently, particularly in the way they can exploit vulnerabilities, monitoring is essential. Having a current risk profile that takes into account changing risks will help keep your institution secure.
The small or mid-size institution that follows this course is the small or mid-size institution that survives a cybersecurity attack—or at least, the cybersecurity exam—no matter how much the attackers seem to understand governing dynamics.