ABA Banking Journal
By Evan Sparks
Disaster—whether natural or manmade—can strike at any time. Last fall saw two kinds of major disasters, each different and devastating in their own ways.
August saw Hurricane Harvey, the first of three powerful and destructive hurricanes over the next month that caused severe damage in Texas, Florida and Puerto Rico and propelled the 2017 hurricane season to be the costliest on record.
In September, Equifax disclosed one of the largest data breaches on record: the personal identity information of 145.5 million Americans was compromised, plus hundreds of thousands of credit card records. Its response to the breach was panned by members of Congress and the media as financial institutions work to limit the fallout.
In both varieties of disaster, the keys to survival are preparation and effective response. In the case of Hurricane Harvey, banks were ready. In Corpus Christi, the team at First Community Bank had weekly hurricane preparedness meetings and was watching the storm carefully. They deployed an operations team to a hardened backup site with the bank’s core processor to ensure that all back-end functions could continue and transactions could move. There would be no interruption in online or mobile services for business and retail customers.
Meanwhile, the bank was ensuring that its ATMs and branches were well-stocked with cash—both in advance of the storm and afterward. VP and IT officer Michael Mincey notes that ATMs saw high use for several days before Harvey hit. And the bank knew customers would need cash handy after the storm passed, especially if power and phone outages were prolonged.
Having been under the center of the storm as it made landfall, FCB’s Rockport branch—a brand-new facility open less than two years—was the most damaged, but power outages and floodwaters also closed other branches too.
The bank executed its business continuity plan with vendor Rentsys and arranged for a mobile branch for Rockport. Built into a trailer, the unit includes a vault, office space and teller line and provides for full service banking on a temporary basis. The mobile branch was up and running a few days after the storm. FCB waived fees for customers (and non-customers) who needed to get cash, and it cashed checks of up to $250 for non-customers living in the most damaged communities around Corpus Christi Bay. To get the word out about the accommodations, as well as branch reopenings and temporary hours, FCB stayed active on social media.
FCB’s response also met more tangible needs—Texas-style. Two days after the storm, as first responders continued working in Rockport and neighbors began cleaning up their properties and assessing the damage, FCB staff volunteers brought their barbecue pit trailer to Rockport and cooked up fajitas and sausage wraps all day long. All told, the bankers fed about 1,000 first responders and neighbors, says Nick Black, a VP and branch manager in downtown Corpus who led the effort.
While the Equifax breach didn’t happen to a financial institution, it is instructive to any organization that, like banks, handles sensitive customer data. “Cyberattacks are more frequent, diverse and destructive than ever before,” says Adam Levin, founder and chairman of CyberScout, a data breach response firm that works with banks. The American Bankers Association recently endorsed CyberScout’s breach preparation and response services. The company helps banks develop remediation plans, handle initial calls from customers and ensure compliant notification to affected parties.
The Equifax breach demonstrated several errors before and after the breach—starting with a failure to apply a patch for a critical vulnerability in a piece of software the company used and continuing through a botched response that included an overwhelmed website, an inadvertent mandatory arbitration clause and social media posts referring the public to a phishing site.
“Every organization has or will suffer a breach of some kind, and we have to assume that every individual has been compromised,” says Levin. Just as with natural disasters, man-made disasters like data breaches require preparation too.
