Navigating a New World of Cybersecurity Risks

How Banking Institutions Can Chart a Safer Route

For: Chief Executive Officers, Chief Operating

Officers, Chief Financial Officers, Chief

Credit Officers, Chief Information Officers

By: Ted Goldwyn & Jordan Pike

pg.1 © 2016 nCino research@ncino.com888.676.2466 www.ncino.com

Co Authors: Ted Goldwyn & Jordan Pike

Executive Summary

In 2014, high-profile data breaches at major public corporations including the restaurant chain

P.F. Chang’s, nationwide retailer Michael’s Stores and Sony Pictures placed cybersecurity

concerns front and center in the eyes of the general public. The trend continued into 2015,

with incidents at Excellus Blue Cross/Blue Shield, the Office of Personnel Management,

and revelation of the massive JPMorgan Chase breach leading the way. 2015 has slightly

exceeded 2014’s record number of data breaches (Fig. 1).

Faced with an increasingly sophisticated breed of cybercriminals, it is more important than

ever for banks and credit unions to ensure that they have strict security standards in place to

protect customer and proprietary data and minimize the opportunities for a potential breach.

In this white paper, we discuss the current cybersecurity landscape, share a watch list of

risks that keep information security experts up at night, and explain why a cloud-based,

consolidated technology platform is a safer alternative to multiple on-premise legacy systems.

Navigating a New World of Cybersecurity RisksHow Banking Institutions Can Chart a Safer Route

900

800

700

600

500

400

300

200

100

0

Figure 1: Data Breaches Per Year

Source: Identity Theft Research Center

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

pg.2 © 2016 nCino research@ncino.com888.676.2466 www.ncino.com

Organization Month Records Exposed

Anthem Blue Cross

Excellus Blue Cross / Blue ShieldOffice of Personnel Management

UCLA Health

T-Mobile / Experian

Scottrade

February

September

June

July

October

October

78.8 million

10 million

21.5 million

4.5 million

15 million

4.6 million

Figure 2: 2015’s Largest U.S. Data Breaches

Source: ITRC Breach Report 2015

Data Breaches and Security Hacks: A Growing Threat in Financial Services

Imagine that tomorrow morning you sit down at your desk and you receive a seemingly innocuous email from a senior-level colleague. The email is marked “urgent” and you are prompted to take immediate action.

Unsuspectingly you open the email, click on an embedded link and within moments your simple action begins a chain reaction of devastating events. It turns out that the email did not actually come from your colleague. It was sent from outside your organization, whereby a sophisticated cybercriminal mimicked the “from” address to appear as if it came from an internal sender. The link you clicked begins installing malware on your system, which allows a band of hackers to gain access to the furthest reaches of your bank’s operating systems, seeking out other employees with administrative rights to critical systems that control your institution’s ATM network, wire transfers and customer accounts.

It sounds farfetched, but according to The New York Times a recent, highly sophisticated international cybercrime ring used just this technique to infiltrate more than 100 financial institutions in 30 countries. The attacks resulted in an estimated $300 million in direct losses through unauthorized ATM withdrawals, international SWIFT wire transfers, online banking access and infiltration of the banks’ internal accounting systems to adjust customer balances.

Data breaches are rising across all industry sectors and include recent high-profile incidents involving Target, Home Depot, major healthcare networks and the federal government. For this reason, the issue of data security is at the center of banking executives’ radar.

In the financial services industry, major cyber hacks have included the October attack on Scottrade that left 4.6 million customers at risk and the 2014 infiltration of JP Morgan Chase, which impacted 76 million households and 7 million small business customers (Fig. 2).

The total cost of a data breach has reached stratospheric levels, averaging $6.5 million per institution, up 11 percent from one year ago.

For the highly regulated financial services industry, the average cost per record lost or stolen is $259, substantially higher than the $217 mean across all sectors.

Even smaller institutions like community banks and credit unions are not immune. According to a February 2015 survey from the National Association of Federal Credit Unions (NAFCU), credit unions spent an average of $136,000 on data security measures and $226,000 in costs associated with merchant data breaches in 2014.

Financial institutions have not been sitting idly by. Many are implementing sophisticated, best-in-breed data and cybersecurity systems in a concerted effort to combat increasingly sophisticated attacks. To this end, the non-profit Financial Services Information Sharing and Analysis Center (FS-ISAC) was formed in 1999 to help financial institutions prepare and respond more effectively to cybersecurity threats. However, in the face of such significant and rapidly evolving challenges, more needs to be done.

From Where Are The Threats Coming?

In today’s world, criminal data breaches fall into one of four categories: 1) state-sponsored, 2) “hacktivist” groups, 3) organized crime syndicates and 4) insider access.

pg.3 © 2016 nCino research@ncino.com888.676.2466 www.ncino.com

1) State-sponsored cyber-terrorism

State-sponsored cyberterrorism has made a lot of headlines recently, especially in the wake of North Korea’s breach of Sony’s internal website in late 2014. The Anthem Blue Cross breach of nearly 79 million records and the U.S. Office of Personnel Management hack are two other examples of state-sponsored identity theft. The Chinese government is suspected of culpability in both of those incidents.

State-sponsored hacks typically take the form of spear phishing, where hackers send emails to specific high-level targets within an organization, enticing them to click on an embedded attachment that allows malware to be installed on critical internal systems. The goal is often to steal valuable intellectual property and state secrets.

According to ex-NSA director Mike McConnell, China is the leading practitioner of state-sponsored cyber-attacks.

“They’re probably 80 percent of what’s going on in the world now,” McConnell says. China, Russia and the Baltic states are recognized as the primary originators of nation-state attacks, but “most nations engage in industrial espionage.”

2) Hacktivism So-called “hacktivist” attacks are initiated by loosely organized groups of rogue hackers such as the collective known as Anonymous. These attacks serve as a form of online protest against companies or institutions and are usually done for non-financial reasons. Distributed Denial of Service (DDoS) is a favorite technique of hacktivists, where the goal is to overwhelm the target organization’s public website with fake traffic or to redirect it to an unrelated and often unsavory site. In 2012, a Middle Eastern-based hacktivist group took credit for a series of disruptive DDoS attacks against the websites of several major U.S. banks, including Wells Fargo, U.S. Bank, Bank of America, JPMorgan Chase and PNC Financial Services.

3) Organized crime syndicatesOrganized crime can range from a couple of hackers working in concert, to large rings planning a series of well-orchestrated attacks over a period of years. The 2014 JPMorgan Chase breach was reportedly the brainchild of a wide-ranging international criminal enterprise, incorporating elements of stock price manipulation, money laundering, and an illegal bitcoin exchange in addition to the theft of 83 million bank customer records. To date, three Israeli citizens have been charged in the conspiracy.

4) Insider accessThe JPMorgan hack is also an example of infiltration occurring through insider access. Despite its standing as the nation’s largest bank and its industry-leading security practices, JPMorgan was exposed because a single employee’s credentials were accessed and two-factor authentication was not enabled on the targeted server.

Insider access can be manipulated from parties outside of a company or can be initiated internally. Organizations must be wary of rogue insiders, typically disgruntled current or former employees. These individuals may decide to abuse their access for purposes of personal gain or “to get back” at their employer.

According to a recent study, 62 percent of data breaches in the first half of 2015 were caused by malicious outsiders, typically organized criminals seeking to monetize the theft of confidential data records. Twelve percent were instigated by insiders and four percent were attributed to state-sponsored and hacktivist attacks. The remaining 22 percent of breaches were attributed to accidental loss due to system or human error.

According to the Ponemon Institute, breaches caused by malicious attacks are on average 10-16 percent more expensive, respectively, than those caused by system glitches or human error.

Why Are Financial Institutions Particularly Vulnerable?

Cyber hacks threaten all types of organizations across every industry sector. However, banking institutions are particularly vulnerable for several reasons.

A lack of resources. Banking institutions have been reluctant to invest the financial and human capital necessary to stay on top of the latest cybersecurity threats. This is particularly true of smaller banks and credit unions that cannot afford to hire a dedicated information security officer, or to purchase the latest technology with leading encryption controls and protection.

“Banks with less than a hundred employees are targeted more,” says Manuel Lloyd, information security expert and principal of Manuel W. Lloyd Consulting®, a provider of entrepreneurial virtual CIO services. “Because big banks can afford to get better talent, they’re going to understand

pg.4 © 2016 nCino research@ncino.com888.676.2466 www.ncino.com

defense in depth, they’re going to have stronger systems,and smaller banks are easy targets.”

A lack of management focus and engagement. As data security threats have grown in recent years, organizations are recognizing the importance of developing an internal focus on information security. This process starts with a mind-set change at the highest levels: your board of directors and senior management teams.

“The board and executive management must be committed to supporting a security culture for everyone to follow from the top-down,” says Mike Saurbaugh, CISSP, CISM, CRISC, and founder of First Security Alliance, LLC. “Without top-level support, the security program will not have the backing it needs to be successful at protecting the organization against the threats which may impact strategic initiatives.”

An over-reliance on multiple systems. Identifying all of your assets, particularly those systems that house your sensitive data, is another critical piece of your data security.

When financial institutions rely on legacy, on-premise hardware such as obsolescent servers, PCs and laptops, it becomes very challenging to determine where the confidential and proprietary data is housed and who has access to it. Those with access may include current employees who require access to perform their jobs; current employees who may have moved on to another function and no longer need access to a particular system; former employees who have

left the firm on good or bad terms, but may still maintain back-door access; and individuals outside the organization including current and former employees of your technology partners.

Compound these issues across multiple internal systems and external vendor-maintained solutions, and your institution may be asking for trouble.

“We see a lot of times, organizations don’t have a good handle on where the sensitive data resides,” says David Anderson, OSCP, Manager of Information Security at CliftonLarsonAllen LLP. “Is it all on your key servers, or do people have it on their workstations? Do certain people have it on laptops that leave the organization on a regular basis? Having a good understanding of where that sensitive data is, is really important.”

Legacy hardware and vendor systems are notorious areas for hidden, sensitive data to reside.

Poor encryption practices. Encryption is recognized as a critical part of a well-rounded cybersecurity program and is in fact the top security method employed by small- to medium-sized businesses (Fig. 3). Banks deal with a lot of proprietary, confidential and sensitive data on a daily basis. Given that much of this information is financial in nature, banks are highly valuable targets for cybercrime. Yet many institutions and their vendors do not immediately implement the latest, validated encryption protocols.

56

20 30 50 6040

Figure 3: Security measures taken by small and midsize businesses to reduce cyber attack risk in the United States in 2015

Source: Statista

10

39

29

25

24

13

25

Share of Respondents

pg.5 © 2016 nCino research@ncino.com888.676.2466 www.ncino.com

Banks and credit unions are subject to the Gramm-Leach-Bliley Act of 1999, which “requires financial institutions to safeguard the security and confidentiality of customer information, to protect against any anticipated threats or hazards to the security or integrity of such records; and to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.”

In addition, the Federal Financial Institutions Examination Council (FFIEC) provides specific guidance on encrypting data: “Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.”

One recommendation is to use validated, long-standing public Advanced Encryption Standards such as AES128 or AES256. These standards were created by the U.S. government in 2001 through a public competition and they have stood the test of time, resisting vulnerability and intrusion tests over countless proprietary encryption algorithms.

Organizations need to be concerned with securing their data at two levels: data at rest and data in transit. Although data in transit has become more secure due to the advancement of higher-level tools and technology in recent years, data at rest is still highly vulnerable.

Encryption must be considered even within internal systems, such as on local servers. Confidential, sensitive and proprietary data should be locked down so that only those individuals who need to see it for their specific roles can access it.

“Where the transaction of data in motion is in bits and pieces and probably encrypted,” Lloyd says, “hackers are really going after data at rest because those are transactions which have already taken place. In the recent cases of databases that were hacked, the data at rest wasn’t encrypted.”

How Do These Threats Impact Your Customers And Business?

A cybersecurity attack on your bank’s systems can be catastrophic. As a financial institution, your systems house such sensitive customer data including Social Security numbers, tax returns, asset and liability information, date

of birth, personal addresses, related family members and security identifiers. Financial services is a highly regulated industry and banks are subject to very strict protocols when it comes to responding to a known cybersecurity attack or data breach.

According to the FFIEC, an adequate response to a data security incident should contain the following elements:

• Isolation of compromised systems, or enhanced monitoring of intruder activities;

• Search for additional compromised systems;

• Collection and preservation of evidence; and

• Communication with effected parties, the primary regulator and law enforcement.

Following the resolution of the security breach, financial institutions must eliminate the intruder’s means of access; restore all systems, programs and data to a “known good state;” file a suspicious activity report (SAR) if required; and initiate customer notification and assistance in accordance with interagency guidance.

Due partially to this compliance burden, the average cost of a financial institution data breach is $259 per record, meaning that the total costs from a single breach can range up to hundreds of thousands, or even millions of dollars depending on the number of records impacted. Add to this the potential for lawsuits, soft internal costs including time spent by staff and lost business opportunities, and loss of credibility, reputation and trust and the true impact is incalculable.

Even when a financial institution isn’t to blame, such as in the case of a merchant-originated debit/credit card breach, the bank often accepts the brunt of the financial impact. For example, credit unions and their members absorbed costs of nearly $100 million in the wake of the Home Depot and Target data breaches.

It’s Time For A Change

Financial institutions have long relied on a network of cobbled-together in-house and vendor systems to run their operations. For many years this approach worked reasonably well, but in today’s high risk cybersecurity environment, it

pg.6 © 2016 nCino research@ncino.com888.676.2466 www.ncino.com

leaves banks vulnerable to a myriad of external and internal threats. More systems equal more access and greater opportunities for hackers to infiltrate your organization.

The time has long passed where a “Band-Aid” or duct tape approach is a viable solution (Fig. 4). With multiple on-

premise systems and single-point solutions, a bank places itself at higher risk due to inadequate and outdated patch management practices, numerous internal and external points of entry and overly complicated management of administrative rights. Fortunately, there is a better way.

Branches

ATMs

Call Centers

Internet

Relationship Mgmt. Agents

Channels Business Silos Data Systems

CRM

DB DB

APP

APP

DW

CRM

DB

DB APP

APP DW

CRM

DB

DB APP

APP DW

CRM

DB DB

APP

APP

DW

CRM

DB

DB APP

APP DW

Cloud Computing: A Safer Alternative

Your focus as a banking executive should be running your business and serving your customers. Budgets are tight and resources are limited, but you are still faced every day with the looming and growing cybersecurity threat. What options do financial institutions have? For many banks, the cloud has proven to be a viable, safe and economical alternative.

The FFIEC has stated, “Outsourcing to a cloud service provider can be advantageous to financial institutions because of potential benefits such as cost reduction, flexibility, scalability, improved load balancing and speed.”

Trust in the cloud is growing. According to Alert Logic’s Fall 2015 Cloud Security Report, 87 percent of organizations

are now using cloud infrastructure in some aspect of their business and spending on the cloud will reach over $200 billion by 2016.

“By building our business architecture on a single cloud-based platform, we were able to limit our security vulnerabilities in a cost effective and efficient way.”

Neil Underwood, Live Oak Bank, President

It is clear that this is the direction the industry is taking and for many reasons it is a safer and more manageable alternative to on-premise systems.

Figure 4: Traditional Patchwork of Disparate Systems and Processes

pg.7 © 2016 nCino research@ncino.com888.676.2466 www.ncino.com

A Common Misperception: The Cloud is Less Secure

When cloud service providers first came on the market over a decade ago, there was naturally a lot of resistance from IT professionals as well as the general public. Cloud was considered a new, untested technology and one that you could not “touch and feel” like a row of servers located on-site in a secure-access computer room. Add to this, that Internet-based Software-as-a-Service solutions came on the scene, alongside a rise in data security threats from on-premise systems, and it is easy to see how a false association between these services and a lack of data security became conventional wisdom.

It is important to realize that control does not equal security. Where your data resides is not nearly as important as the security standards that you employ.

Over time, it has been shown that Internet-based platforms, staffed by the brightest IT security professionals, backed by secure remote data centers and the latest in encryption controls, can actually be a safer, as well as more economical solution for financial institutions.

On-premise systems are more vulnerable than cloud-based platforms. Just consider:

Less is more: Multiple on-premise, legacy systems increase the number and types of threats that can target your institution. As systems age, it becomes harder to inventory and know exactly where all of your critical and sensitive data is housed. And, it becomes increasingly difficult to keep legacy systems up to date with the latest patches and security protocols.

“Vulnerabilities will always exist and with the number of Internet-connected devices and applications add to the growing complexity the business must deal with,” Saurbaugh says. “Security teams must prioritize vulnerability management to protect against system exploitation.”

Transitioning to a single cloud-based platform to house and manage all of your institution’s sensitive data gives your IT organization better control of who has access among your employees, customers, outside vendors and business partners.

Banks can’t spend enough: Even the largest financial

institutions, like JPMorgan Chase, struggle to mitigate all cybersecurity threats targeting their on-premise systems. JPMorgan spends an estimated $250 million per year on cybersecurity. In the wake of the 2014 attack that compromised the records of 83 million customers, the bank says it intends to double this yearly spend.

Hackers seek low-hanging fruit: The recent spear phishing trend reinforces the fact that hackers always try to locate the path of least resistance. All it takes is one email to an employee with administrative access to compromise an entire internal data system. Cloud-based systems have more robust controls, safeguards and well-trained personnel that make them less prone to these types of social engineering hacks.

Cloud systems offer true defense in depth: In the past, it was sufficient for companies to take a hands-off approach by setting firewalls and antivirus services. Today, with the increasing level of sophistication and changing threat environment, financial institutions must match this sophistication with

“defense in depth,” or a layered approach to cybersecurity.

“Layers are key,” Anderson says. “Not one item can fully protect your organization, but configuring your network and configuring all of your assets in a secure manner can go a long way toward 1) preventing someone from gaining access to your network and then 2) if someone does gain access to your network, being able to recognize, react and respond.”

“A layered approach is important since there is no one solution to solve all security challenges businesses are faced with,” Saurbaugh says.

Top cloud service providers offer true defense in depth, through the implementation of multiple layers of physical and logical security. This includes everything from highly secure and redundant remote data centers, to active patching protocols, to using the best file encryption algorithms for data at rest and in motion.

“The physical security is night and day between a cloud service provider and a local facility,” says Lloyd. “A local facility does not have a barbed wire fence. A local facility doesn’t have biometric access. A local facility doesn’t have people on staff who do nothing but monitor data. A local facility is not going to have backup generators and multi-geographically dispersed data centers.”

pg.8 © 2016 nCino research@ncino.com888.676.2466 www.ncino.com

Recent, high-profile breaches targeted on-premise systems: From Target and Excellus Blue Cross, to the Federal Government’s Office of Personnel Management and JPMorgan Chase, many of the recent incidents in the news were the result of infiltration into proprietary, on-premise systems. These are very large corporations that spend millions on sophisticated data security measures. However, they had internal vulnerabilities in people, process or technology that were exposed by the latest social engineering techniques.

Not All Cloud Systems Are Created Equal

Although cloud-based platforms are a secure and efficient alternative to on-premise, legacy systems, it is important to understand that not all vendors that operate in the cloud have the same approach to security.

Do your due diligence and consider these facts before signing on with any new service provider.

Leading cloud providers don’t get hacked: The best cloud providers, such as IBM and Salesforce are targeted by cybercriminals. But they rarely get hacked, due to their best-in-breed security protocols, hiring practices, physical security and defense in depth.

For example, Salesforce data centers feature 24-hour manned security, servers housed in access-controlled steel cages and biometric scanned access control. Connection to the Salesforce environment is via TLS cryptographic protocols. Salesforce utilizes perimeter and internal firewalls to block suspicious Internet traffic and intrusion detection sensors are deployed throughout the internal network to report events to the security team in real time.

“It varies very widely,” adds Anderson. “The providers who have been around for a while, that have been audited for many years, we see good results from a security posture. So you just need to understand how long they’ve been in business and what kind of security testing and controls they have in place to protect the data that they’re getting.”

“The Cloud” does not equal “The Internet”: The media reports regularly on high-profile website hacking incidents, such as the recent CIA Director’s website breach. However, most of these attacks are DDoS or hacktivist infiltrations of company websites, conducted in an effort to disrupt the normal course of business, cause embarrassment, or affect financial ruin. Generally, such attacks are aimed at proprietary websites that are less secure than operating platforms managed by true, professional cloud service providers.

Is your data stored in the United States? Regulatory agencies like the FFIEC provide guidance with respect to the storage of sensitive customer data. Financial institutions must consider the risk of storing customer data offshore as part of their initial assessment and ongoing business continuity planning associated with cloud applications. Cloud providers do not always have the infrastructure or ability to guarantee that customer data will remain in the U.S. or not be stored at international locations. Although international data storage is an option for a financial institution, storing data offshore adds to the risk and complexity of business continuity planning and opens an institution to increased regulatory oversight.

The Cloud is Cost Effective As Well As Secure

Beyond the security advantages, financial institutions realize additional benefits in moving much of their IT infrastructure out of house, including lower costs, higher efficiency and the ability to leverage the greater capabilities and resources of large, enterprise-level organizations.

Figure 5: Typical cloud data storage facilities feature the best physical security in the business.

1. Security Building and Controls

2. Redundant Power Backup

3. Storm Proof Data Center

4. Main Power Plant

5. Redundant Power Backup

pg.9 © 2016 nCino research@ncino.com888.676.2466 www.ncino.com

“Not only were we able to improve our security posture by implementing a single, cloud-based bank operating system,” says Live Oak Bank’s Underwood. “We grew to become the number two SBA lender in the country in just five years, while successfully controlling our expenses in staff and resources.”

Neil Underwood, Live Oak Bank, President

According to a Rackspace/Manchester Business School study of over 1,200 U.S. and U.K. businesses, 88 percent of companies using cloud services experienced cost savings. Fifty-six percent also reported an increase in profits. Nearly two-thirds of those companies that reported a cost savings had reinvested those savings back into the business, enabling them to focus on growth strategies and new customer acquisition.

Conclusion

Financial institutions today face a rapidly shifting cybersecurity landscape, one that has witnessed a number of historically massive data breaches over the past few years. High profile breaches, such as the recent JPMorgan Chase attack, have proven to be highly disruptive and expensive, in terms of both economics and reputational impacts.

In the face of such unprecedented new risks and a sophisticated and emboldened new breed of cyber-criminals, it is time for banks and credit unions to reset their approach toward cybersecurity. Through the commitment of time, staff and economic resources and by strategic outsourcing, leading firms establish and maintain a robust and multi-faceted security posture.

Cloud computing offers numerous benefits to financial institutions of all sizes, including the ability to deploy a more robust physical and virtual security infrastructure, to consolidate multiple systems to a single manageable platform, and to have access to a team of knowledgeable and experienced experts.

pg.10 © 2016 nCino research@ncino.com888.676.2466 www.ncino.com

About Ted Goldwyn

Ted Goldwyn is principal at Ted Goldwyn Wri t ing, a f reelance commercial writing firm based in Corning, New York. Ted specializes in marketing, communications, and thought leadership for the financial

services industry. He has been published in financial journals including Credit Union Magazine and Callahan & Associates. Prior to starting his freelance writing career, Ted spent over 18 years in financial services in a variety of management roles. His experience includes over eight years in senior management as Director of Business Services at Corning Credit Union in Corning, NY, and nearly 10 years in branch management and as Vice President, Product Manager for Small Business Services at The Bank of New York in New York City. Ted holds a B.S. in Applied Economics and Management from Cornell University, and an M.B.A. in Finance and International Business from New York University’s Stern School of Business. Ted may be contacted at ted@tedgoldwyn.com and at www.tedgoldwyn.com.

About Jordan Pike

Jordan Pike is the Director of Infrastructure and Security Operations for nCino in Wilmington, North Carolina. He holds the elite CISSP certification (Certified Information Systems Security Professional), which

is the most stringent security certification in the world, as well as the ISC2 CCSP (Certified Cloud Security Professional) certification. He also holds security certifications from Cisco Systems, Juniper Networks, Comptia, and Solarwinds. He is currently researching how to turn unstructured bank data into meaningful, actionable information. Prior to nCino Jordan was a Network Engineer at Infranet Technologies Group where he focused on data security deployments. He holds a B.S. degree in Computer Science from the University of North Carolina Wilmington. Jordan can be reached at jordan.pike@ncino.com.

About the Authors

About nCino

nCino is the worldwide leader in cloud banking. Through its Bank Operating System, nCino leverages the power and security of the Salesforce platform to deliver a complete banking solution. Dedicated to transforming financial services through innovation, reputation and speed, nCino’s technology enables financial institutions of all sizes to expand market share, adapt to meet regulatory compliance, drive profitability and optimize operational transparency. Founded in 2012, nCino is headquartered in Wilmington, N.C.