(Cyber) crime fighters: Onslaught of attacks has even rival banks joining forces

As executives at two warring banks in a competitive market for bankers, there’s nothing compelling John Kowal and Damiano Tulipani to get along — never mind for them to actually work hand-in-hand.

But, there’s more reason for camaraderie every day between Kowal, a senior vice president and chief technology officer at Peapack-Gladstone Bank, and his competitor-turned-companion, Tulipani, who has a similar role at Provident Bank.

John Kowal. (Courtesy photos)

Banks such as theirs are caught up in a constant churn of new cyberattacks and fraud attempts. They’re finding that collaboration can go a long way to combat cybercriminals, so they’re closely communicating — with the support of the state’s banker trade association.

Kowal’s expectation? It’s going to hurt scammers and fraudsters significantly, he said.

“Because, with how it works now, they’ll go after one bank, and, if they find no success there, they’ll go after another bank,” he said. “That could be advanced cyberattacks or just driving up to ATMs, trying to defraud tellers. But if we collaborate, that strategy becomes useless — because the banks that are hit first will communicate with the next bank.”

Peapack-Gladstone, Provident and other local banks are participating in a new special cyberrisks committee announced last month by the New Jersey Bankers Association, or NJBankers.

Damiano Tulipani.

The committee, which will meet quarterly, is led by a coalition of cybersecurity experts from the organization’s member banks and other groups. The initiative also gives banks an outlet to communicate outside of those quarterly meetings, when there’s an event that could impact local banks.

Jenn Zorn, director of education and business development for NJBankers, said her organization is membercentric. And cyberrisks are at the forefront of their members’ concerns going forward.

Based on the 2022 iteration of the Allianz Risk Barometer survey, which polls businesses on the risks they’re focused on, cyberincidents rank as the financial sector’s most prominent peril. Over half of respondents to the regular survey placed that over business interruptions, supply chain outages and regulatory burdens.

Insurance company Allianz Global Corporate & Specialty also reports that its own analysis found that, of the more than 7,500 insurance claims for the financial services segment over the past five years, cyberincidents were the top cause of loss.

Jenn Zorn.

Kowal added that the losses from cybercrime can be significant for banking clients and customers as well, including businesses of all sizes.

“There might be an assumption out there that, if my business is small enough, I don’t have to worry about it,” he said. “But, it’s important to understand that, especially with these phishing-style attacks, you immediately become a target, no matter your size, when you fall into that wide net and take the bait. Even if an attacker thinks they can extort a couple thousand dollars, they’ll do it.”

Besides their own internal preparations, Kowal said banks appreciate opportunities to train customers in the communities they serve on the popular cybercriminal attack strategies being deployed.

“We want to make sure we’re aware of the cybercrime and fraud occurring, even if we’re not seeing it in our own bank,” he said. “Fraud that affects our clients is generally a lot easier (for attackers) than going after a bank directly. That’s why it’s so important to us to make sure customers are very well equipped, and also why there’s a need for collaboration across banks.”

Sometimes, it becomes apparent to a bank that other banks or bank customers in a particular region might be the next target for cybercriminals, Kowal said.

By sharing information about the methodology of those attacks with potential competitors in a way that goes beyond their typical regulatory obligations to report breaches, bank leaders believe they’re going to be better prepared themselves — when those other banks return the favor later.

Tulipani, who was brought in as Provident Bank’s chief information security officer late last year, said the need for collaboration between banks has become more evident as technological advances throughout the years have worsened cyberrisk. What was once perhaps a minor inconvenience can now lead to massive financial loss or weeks-long business interruptions.

“We’ve seen the attacks shifting and becoming more sophisticated over the years,” he said. “In classic ransomware attacks, it used to be that an adversary would lock one particular system and try to extort a company for ransom right away.

“Now, they’re able to hijack the entire ecosystem of an organization. Sometimes, before you even notice systems are encrypted, they’re extracting data. And that’s all to make sure they have you really cornered before you have to make a decision about paying ransom.”

The risks might have been understood in the past. So was the perception of being prey to a hacker.

Bank leaders admit that, for any industry, there’s been something of a stigma attached to falling victim to ransomware and other security breaches. And that’s kept the conversation between institutions relatively muted.

“As they say, there’s two types of people: One who has been hacked and one who doesn’t know they have been,” Tulipani said. “I’m a firm believer that it has come to a point where it shouldn’t be thought of as shameful to raise your hand and say, ‘I’ve been hit,’ especially if it can prevent someone else from having the same happen to them.”

Along with the financial institutions involved with the NJBankers cyberrisks committee, bankers are passing along what threats their sector is facing with law enforcement and governmental agencies.

“By doing that, we can really create an opportunity to catch them at the next bank,” Tulipani said. “If we don’t, we’re all going to be operating on an island. And, the fact is, these attackers collaborate. So, to protect the financial industry as a whole, we have to, as well.”

In their decision to collaborate in a more formal capacity, the New Jersey banking industry is following of the footsteps of what some of their peers globally have started doing in recent years.

Already, Kowal said executives at other banks are starting to feel like coworkers.

“That’s the level of sharing that we’re doing today,” Kowal said. “The industry’s success is our success, ultimately.”