Cyberattacks and Bank Failures

Fears of a major cyberattack on banks have been rising since hackers successfully stole nearly $100 million from Bangladesh’s central bank in February 2016. Shortly after that incident, Russian central bank officials disclosed that hackers stole more than $31 million (two billion rubles) from the country’s central bank and commercial banks. SWIFT – the predominant messaging network used by banks – warned that these kinds of cyberattacks are set to rise.

In this article, we will look at how cybersecurity risks could lead to the next bank failure and what it means for the financial industry and consumers.

The financial industry has struggled to keep pace with technological innovation, particularly given the extensive regulation governing its operation. While legacy technology may seem like just an inconvenience to consumers, it has become a major security risk for commercial banks, insurance companies and their consumers. At the same time, hackers have benefited from new technologies that make it easier to hack into these legacy banking systems.

For example, so-called two-factor authentication is a nearly bullet-proof way to secure consumer bank accounts. Banks send a temporary code to the consumer’s cell phone before allowing them to log in, which means hackers would need access to both the computer and the cell phone to gain access to the account. Despite the effectiveness of the method, several major banks don’t use two-factor authentication to protect consumer bank accounts.

The Bangladesh bank heist also illustrated vulnerabilities in bank computer systems. According to SWIFT, relatively simple malware was detected on its clients’ (bank) computer systems targeting a PDF reader used to check statement messages. Hackers used the malware to bypass primary risk controls and initiate irrevocable funds transfer processes while tampering with statements and confirmations that would normally act as secondary controls.

Consumers have relatively little to lose from cyberattacks on banks, provided they weren’t lax about safeguarding their information and they quickly notify the bank if funds are missing. U.S. federal law requires banks to refund customers if someone takes money from their account without authorization and they notify the bank within 60 days of the transactions appearing on their bank statement. Business accounts, however, have fewer protections and could be subject to greater losses.

Banks themselves have fewer assurances from the federal government that they would remain solvent if a major cyberattack were executed. According to some experts, the Financial Stability Oversight Council has largely failed to acknowledge and plan for cyberattacks that threaten the solvency of a major bank. These attacks could target bank processing systems and disrupt critical financial transactions needed to avoid margin calls, for example, triggering a default.

British academic Richard Benham, chairman of the National Cyber Management Centre, warned the BBC that “a major bank will fail as a result of a cyberattack in 2017 leading to a loss of confidence and a run on that bank.” Many banks already see millions of attempted attacks each year with modest losses resulting, but the precedent set by the SWIFT hack on central banks indicates that these attacks are rapidly becoming more sophisticated.

Cybersecurity has become a paramount concern for the banking sector, but some banks have been hesitant to implement much-needed security measures and regulators have been slow to develop a plan to address major attacks if and when they occur. Consumers may be able to recover their money under federal law, but some experts are concerned that the escalating attacks could render a major bank insolvent if successful, or at least create a panic that leads to a run on a bank.