May 7: Note on why Millennials need LOs; cyber-security is more than not posting your password on a sticky note – what are your vendors doing about it?

There’s all kinds of disagreements about “the average age” of whatever. Usually someone will say the average age of a loan officer or real estate agent is 54, and then someone else will say it’s 47, and then a wise guy like me will say it is 73. Usually someone who is in their 70s will say, “Geez, we can’t get any young people into this business” and someone else will exclaim, “That’s because people like you aren’t retiring to make room for them” at which point the first person responds with, “I can’t retire – all my retirement money was in Nat City/Fannie/Freddie/WAMU/(pick one).” After that they start talking about “the old days” when business was great even with rates at 12%.


On the other end of the scale, from the home of the Coast Guard Academy (CT) Manny Gomes writes, “I need to chime in on the millennial conversation. I myself am a millennial at 32 years of age and have plenty of friends in this age group and thanks to Facebook and social media I have been able to track a very large number of millennials who love to post things, especially milestone moments such as getting engaged, married, or having children. I will tell you as of late I have seen a much larger interest in home ownership from generation. In speaking to with this generation it is clear they only become interested in home ownership when marriage or children enter the picture. I have noticed buying a home in a stable school district has become the number one motivating factor for pursing home ownership. To be honest I can see why there is no sense of urgency for this generation to purchase a home.


“Home prices are for the most part stable and interest rates come back down every time they creep higher. But one thing which has been pushing them over the fence other than the interest the milestone moments in life provide are rising rents. We are reaching a point where it is making more and more sense to buy vs rent and millennials are starting to realize this and those who are ready to plant roots are beginning to take action. The problem I have seen them run into is mass confusion. There is way too much information available on the internet to this generation and they don’t know what information is accurate and what information is not. To tap into this generation, you need to become a counselor/educator and help them through the decision making process. Those who do this will set themselves up for the next 10 years or more of the careers.” Thank you Manny – I agree 100%.


I will continue to beat the drum about cybersecurity although I personally know nothing about computers aside from “turn it off and wait 10 seconds and then turn it on and see if that fixes the problem.” Bangladesh is missing $81 million, and is blaming the NY Federal Reserve Bank. I sure haven’t seen it, although when I asked my cat Myrtle about its disappearance she acted like she didn’t hear me. Very suspicious.


I received this note from a lender: “Last week, our website was hacked over 1,100 times within a single day. We later found out that a Russian and Ukraine IP address was attempting to get into the backend of our website, specifically into the area where we house our 1003 applications. You can just imagine the anxiety and tension that day. Cybersecurity seems like a faraway problem to most companies and people until it happens. The ‘it’ll never happen to us’ and ‘why would anyone want to hack my website’ mentality is what will truly hinder small companies if they don’t beef up their security.”


A survey on risk practices by Bank Director finds that risk teams are most concerned with the following categories: cybersecurity (77%), compliance (54%), credit (39%), operational (29%), interest rate risk (26%), strategic (23%), reputational (20%), liquidity (7%) and legal (7%). Huh? Your company isn’t big enough to have a “risk team?” Maybe you should think about throwing one together.


I often hear this when visiting with folks. “Hey Rob, don’t use my name, but our company just lost $XX,XXX on a wire that was sent to a fraudulent address.” I certainly hope that the companies that have this happen report it but victims are not good at sharing information and collaborating. The Financial Services Information Sharing and Analysis Center, the top threat sharing group in banking, has thousands of bank members. Speed of threat data sharing is critical. Many organizations that suffer massive breaches will only talk about it a year or two later, after all the litigation has been settled. By that time, intel that would have protected others from being victimized has probably gone a little stale.


The FBI reports cyber scams where fraudsters impersonate company executives in emails successfully stole $2.3B from Oct 2013 through Feb 2016. Bankers should continue to alert business customers of the scam and tell them to train employees that random emails requesting money transfers from the CEO or other executives are likely fake and should be triple checked with other methods to ensure legitimacy.


A recent survey conducted by BuckleySandler LLP and Treliant Risk Advisors LLC found that more than one third of businesses, “…do not believe their primary third-party vendor would notify them if a data breach involving sensitive and confidential information occurred.” Additionally, 73 percent of survey respondents did not think a fourth-nth-party (vendors/service providers hired by third-party vendors), would inform them if they had a data breach. Half of respondents confirm their institution has experienced a data breach caused by one of their vendors. A large majority of respondents (65 percent) said it’s difficult to manage cyber-security incidents involving vendors and 58 percent said they were unable to determine if their vendors’ safeguards and security policies are enough to prevent a cyber-attack, while 41 percent believe their vendors’ policies and procedures are sufficient enough. The survey also highlighted the importance of companies to enhance and strengthen their vendor management programs, as only 38 percent of respondents said their institution establishes and tracks metrics regarding the effectiveness of vendor risk management and 48 percent have a vendor risk management committee. Finally, 62 percent of survey respondents said their board of directors do not require assurances that vendor risk is being assessed or monitored appropriately or they are unsure. 


Many community banks are still not doing enough to protect themselves and their customers from cyber threats. The Bank Director’s 2016 Risk Practices Survey found the majority of bank boards are still not addressing cyber threats at every board meeting and as many are not even talking about it. This is particularly troubling given how prominent cyber-attacks have become in our world. All banks are at risk because after all, it is nearly impossible to stop countries from hacking in and the government right now seems nearly powerless to stop these attacks.


Steve Brown from PCBB reports that, “Certainly some progress in the cyber arena has occurred over the past year in the banking industry, however. In this year’s survey, 34% of respondents reported that their board reviews cybersecurity at every meeting vs. 18% last year. It’s also encouraging that 78% now say their bank employs a full time chief information security officer vs. 64% last year. Also, nearly 50% say their bank has a chief risk officer exclusively focused on risk, while 37% said their risk officer is also focused on other areas of the bank.


“This survey and others indicate there’s still room for significant improvement. For instance, consider a CRO report that finds 54% of respondents say their bank has a chief risk officer, but the board never meets with them. Further, only 21% say the CRO’s performance is reviewed, and compensation determined by, the board or a board committee. Also concerning is that more than 50% of banks don’t have a separate board-level risk committee exclusively dedicated to risk governance. To manage risk, it is important that transparency is there and both directors and managers are involved from top to bottom.


“Certainly, community banks can’t be expected to expend the same resources to erect cyber defenses as their large bank counterparts. In 2015 for example, Bank of America spent $400mm on cybersecurity and JPMorgan said it is going to spend $500mm this year. That said, it is important not to fall into the trap of believing that being a community bank makes you an undesirable target for cyber thieves. Here, you only have to go as far as your email to find fake CEO requests to send wires. Cyber thieves are everywhere and their sophistication has ramped up significantly in past years. They now use fake emails, fake websites, and fake people augmented with insiders as they attempt to steal money from banks.”


Legaltech News recently had a story titled, “Defining a Data Breach Response Plan Starts with Understanding.” And certainly attorneys are tuned into the issue. For example, from the National Law Journal comes, “E-Discovery Unit Thrives in Washington under Winston & Strawn.”


Most data breaches happen fast — in a matter of minutes, according to a new Verizon report. Lenders tell borrowers that the impact on them and their credit report could make for a very long lasting financial headache. Cybercriminals institute data breaches to steal a borrower’s Social Security number, credit card number, bank account information and many other forms of personal financial information. These thieves still find success with phishing emails. Per the report above, 30% of phishing messages were opened. This compares to the previous year figure of only 23%. Meanwhile, 13% of those clicked to open the malicious attachment or nefarious link.


And in 93% of cases, attackers were able to compromise systems in just a matter of minutes.

Verizon analyzed more than 2,260 confirmed data breaches and more than 100,000 reported security incidents, finding that 89% of all attacks involve financial motives while ransomware attacks were up 16% from 2015. Meanwhile, 63% of data breaches were thanks to weak or stolen passwords.


Also blamed for data breaches are “miscellaneous errors,” which can include improper disposal of sensitive information, misconfiguration of IT systems, and lost and stolen devices, such as laptops and smartphones. These errors also include people mistakenly sending sensitive information to the wrong person, which accounts for 26% of these errors, Verizon found.

When your information is stolen, thieves will typically sell it — or use it for themselves — to open as many accounts as fast as they can in your name. Unfortunately, you may not find out about it until you’re applying for a mortgage, opening a line of credit or financing a car, when it’s already too late.


Lenders tell borrowers to implement a two-factor authentication for applications and social networking sites, encrypt their data if possible and limit who is authorized to access it. It is also helpful to be familiar with the signs that someone’s identity has been stolen or their credit information has been compromised.


Borrowers should be told that staying informed about their credit scores and individual credit accounts is also helpful in minimizing any damage done by data compromises. One can check their free annual credit report every year at, and keep track of their credit scores by viewing two free credit scores, updated monthly at, to make sure there aren’t any fraudulent accounts on file.


If you’re near Dallas on the 12th the MBA is offering a workshop titled, “FFIEC Cybersecurity Assessment Tool Deep Dive”.


From American Banker comes a story from Penny Crosman on key takeaways for banks on recent data issues. “The motives for data breaches are increasingly financial. This obviously makes banks more of a target than ever. Banks are getting hit hardest in their web applications. Some apps are compromised through code injections. GozNym malware, for instance, typically inserts code into banks’ websites that creates pop-up screens asking for personal information. Through SQL injection, malware can access sensitive information in databases or gain access to other parts of a network through a web app.


“Web app attacks are hard to detect since banks have thousands, sometimes millions of legitimate users accessing their sites. Finding the bad behavior in the noise is difficult, especially if the cybercriminals use multiple proxy servers and space their attacks over minutes or days. The best defense? Two-factor authentication.”


And “distributed denial-of-service attacks” are the second most common security incident for banks in 2015 – 34% of their total. DDoS attacks, those malicious streams of traffic aimed at websites to shut them down or at least cause slow performance and embarrassment, continue to increase, partly because they’re easy and cheap to do. The attackers typically use compromised systems organized in botnets to carry out their attacks.


“The starting point for breaches is usually phishing, the sending of emails with malicious attachments or links that allow malware to be downloaded to the user’s computer, or that fool users with their message to share sensitive data. The report recommends protecting networks from compromised machines by segmenting the network and implementing strong authentication to prevent hackers from going from phishing to full-scale reconnaissance of the bank’s network.”



Sign on the back of a septic tank truck: “Caution – This Truck is full of Political Promises”





(Copyright 2016 Chrisman LLC. All rights reserved. Occasional paid job listings do appear. This report or any portion hereof may not be reprinted, sold or redistributed without the written consent of Rob Chrisman.)

Rob Chrisman