After nearly forty years as a senior security executive in the banking industry, and now as a consultant, I've had the opportunity to develop and assess many physical security programs for banks and credit unions. Some of these programs were well written and were backed up by strong executive support, strategic-minded security directors and the appropriate supply of talent to ensure the program's successful execution. This was not true for every bank that I encountered.
I have seen a plethora of programs not being executed because of a lack of executive support, inadequate headcount, and a variety of other reasons. Some banks had diluted, one-page programs that were nothing more than a summary of the Bank Protection Act with no strategic framework - often created to satisfy the "written security program" requirement of the Bank Protection Act. Others had outdated programs that were no longer fit for purpose, sometimes due to the bank's rapid growth through multiple acquisitions.
Banks without well-documented and properly executed physical security programs often find themselves without strategic direction, being reactive rather than proactive and in a never-ending cycle of being behind the curve. Regardless of the state of your physical security program, it should be a priority to complete periodic assessments to ensure that your program is up to the challenge of meeting today's security threats.
Today's Threat and Regulatory Environment
The physical threat environment across the banking industry is unlike anything we've seen in recent decades and at some point, banks of every size will be impacted by crime. Typical bank-related crimes such as robberies, burglaries, ATM attacks, and disruptive or violent behavior occurring at bank branches continue to occur, and in many parts of the U.S. have significantly increased. In addition, geopolitical tensions, rising extremism, political polarization, the threat of civil unrest and active shooter events have become a new reality.
Cyber threats have compounded physical threats as these domains become increasingly intertwined, requiring collaboration between cyber and physical security teams. Vulnerabilities in both digital and physical systems can be exploited to gain unauthorized access or cause physical harm. For example, a cyber attack could result in physical damage to critical infrastructure, while a physical breach could provide attackers with access to sensitive information. Physical security programs must include measures to deal with these vulnerabilities.
In recent years, bank examiners have also been taking deeper dives into physical security, especially during Gramm-Leach-Bliley Act (GLBA) exams. Therefore, physical security programs should be based on accepted industry standards and must focus on complying with pertinent banking regulations (e.g., Bank Protection Act, GLBA, etc.).
It is more important now than ever that physical security programs are proportionately scaled to ensure that banks are well-positioned to manage these threats and regulatory scrutiny.
Strategic Risk Assessment
The first step in assessing a physical security program is to complete a strategic risk assessment of your entire organization. The assessment should provide a comprehensive view of the bank’s position in the local as well as the global threat environment. (Even small and regional banks are now susceptible to global events, including geopolitical disruptions and foreign espionage). The goal is to identify physical security threats and areas where your organization might be vulnerable. A proper risk assessment supports strategic planning, resource prioritization, organizational design, executive support, and stakeholder engagement; it forms the foundation of an innovative security program.
Physical Security Program Assessment and Gap Analysis
Using what you learned from the strategic risk assessment, an assessment and gap analysis of your physical security program can be more effectively completed. Start by answering the following questions:
- Does the program contain key components that address security risks identified during the risk assessment? Some examples of key components include risk assessment requirements, incident management, training requirements, executive security, insider threat, travel security, security requirements for branches, ATMs, and buildings,
- Does the program consist of written policies, procedures, and standards? Compile a list of existing documents and identify policies, procedures, and standards that are missing and need to be developed. During this exercise, consider how the lack of a procedure or standard could adversely impact the security team's ability to conduct tasks or to apply security measures consistently.
- Are physical security standards comprehensive, based on industry best practices and in line with regulatory requirements? Do the standards address bank branches, ATMs, operations centers, and headquarters buildings? Physical security standards are an important part of the overall physical security program, ensuring consistent levels of protection and risk-based application of security systems, devices, and enhanced security measures. They support defensible business cases for security during new construction, renovations, acquisitions and when seeking to update security technologies. Consistent standards can help reduce crime, and the risk of litigation and support compliance with regulatory requirements, e.g., the Bank Protection Act, GLBA, etc. The development of physical security standards can be time-consuming and is often put on the back burner of things to do.
- Are there policies, procedures, and standards with which your bank is not complying? If so, what are the reasons for noncompliance? Is it that they are outdated, poorly written or lack buy-in from stakeholders? These should be categorized for appropriate action.
The Physical Security Policy
Finally, a physical security policy is needed. This policy does not need to be prescriptive but rather should serve as the overarching framework of your organization's physical security program. The policy should consist of brief summaries of the program's components along with the policy requirements for each. The policy should specify governance processes to ensure that the policy, along with related standards and procedures, are reviewed annually to address material changes, and areas of non-compliance, and to add new components as your bank's security program matures. Policies should also be approved by the board of directors or designated committee in compliance with the Bank Protection Act.
Conclusion
Depending on the current state of your security program, these recommendations can be challenging and time-consuming. While larger banks sometimes have the resources to manage this in-house, others leverage the resources of third-party consultants to conduct independent program reviews. The primary objective, either way, must be to ensure a physical security program that is holistic and fit for purpose that will bring credibility to the security team, mitigate risks, provide guidance to employees, and position your bank for favorable regulatory exam results.
Rick Mercuri is Senior Advisor for Corporate Security at Rebel Global Security. Rick has served as senior security executive at two of the largest U.S. banks. For four decades in corporate security, Rick has demonstrated strong leadership and strategic decision-making for global and domestic organizations. Rick is a trusted advisor to C-level executives and a thought leader with expertise in mitigating complex physical security risks and developing threat intelligence capabilities. Rick is a Certified Protection Professional (CPP).