Kenneth Montgomery   

Title: First Vice President, Chief Operating Officer, Federal Reserve Bank of Boston   

Age: 55

Experience: 32 years   

When Ken Montgomery first went to work for the Federal Reserve Bank of New York, he figured it would be a good two-year gig. His previous employer had wanted to send him to Detroit, so the New Jersey native really just wanted to stay closer to home at first. But three Federal Reserve banks and 30 years later, Montgomery has carved out a pretty strong niche, putting his tech background to work for every business the Fed touches. Recently, he sat down with Banker & Tradesman to talk about the Boston Fed’s new cybersecurity pilot program for community banks.

Q: You’ve been involved with a pilot program for community banks that’s focused on information-sharing and cybersecurity – what can you tell us about that?

A: What we recognize is that large institutions have a lot of money at their disposal, so they can get a lot of the expertise they need to have effective cybersecurity programs. What we’re worried about are some of the smaller organizations, those that have assets, say, less than $10 billion. This service was very much geared at that segment of the banking system. What we wanted to do was give them access to information and really understand the volume and velocity of information they’re receiving regarding security threats.

This pilot was intended to see if this is something institutions would derive value from, and is it an effective mechanism by which we can get participants in the banking industry to work collaboratively with one another and share information about cyber threats, as well we reactions to cyber threats.

So we started the pilot about a year ago, limited to about 20 institutions, met every couple of weeks either face-to-face or through video conferencing. We had outside speakers come in and we talked to them about the current threat environment, what new threats they saw, what information we received from other agencies, and we passed that onto them and ask how were they prepared to respond to that.

Likewise, they would give back and give us information on the problems they’re experiencing or threats they’re aware of, and then we would work collaboratively on some solutions.

There are two real groups we’re concerned with that want to attack or disrupt the industry: organized crime … and rogue nation state actors looking to disrupt the payment system, disrupt the activities of banks and other financial services organizations.

An effective economy is so dependent upon an operating payment system, if it was disrupted, it’s just a matter of hours or days before segments of the economy start to have real problems.

Q: What kind of feedback did you get from the banks that were involved in the pilot?

A: The feedback was really positive. What the banks liked about it was that they were getting access to operational information, so they didn’t have to weed through a myriad of different details they were hearing.

The other thing they liked about it was establishing their own network of other people they could talk to and understand the differences between a few organizations, but also share problems and solutions with one another. They also liked that they were able to give feedback to the Fed with the expectation that the Fed would share that with other agencies and bring them forward in terms of developing the pilot at the next step.

They also liked that we were limited to smaller-sized banking institutions and they weren’t there with the larger sized institutions that have different problems, so they liked that personalized attention they were getting from it.
 

Q: Do you have plans to expand the program?

A: Our hope is that this year we’ll expand it to 50 or 60 institutions. We want to continue to get everybody within the New England region to participate in this, so in addition to having meetings in Boston, our hope is to have groups in the other New England states where we can go to them and talk to them about these activities.

Then we’re also wondering, is this a model the other 11 Federal Reserve banks can implement? So is this something that could go nationwide, again targeted to that segment of banks under $10 billion cap. 

Montgomery’s Top Five Cybersecurity Tips:

1. Assume you will be (or have been) compromised.
2. Be proactive in your cyber security planning; prepare for the worst-case scenario.
3. Cybersecurity is an ongoing and increasing cost of doing business; take a risk-based approach to funding cyber protection.
4. Include insiders as a significant threat vector.
5. Build relationships and understand the security position of your critical service providers and vendors.