In some high-tech circles, the word ‘hack’ means a clever practical joke. But financial institutions and other entities are not laughing at the latest round of computer hacking. Whether the perpetrators are bored students, the Chinese army or the Iranian government, as some reports have indicated, banks are working to keep their data safe from security breaches.
‘With the number of attacks being up, it's a testament to what the industry has done to protect itself that we haven't seen more negative effects as a result,’ says Keven Smith, president and CEO of software provider Mortgage Builder, based in Southfield, Mich. ‘Now more than ever, it's important for institutions to stay on top of this issue, especially in light of the current regulatory environment.’
Cybersecurity can be expensive, says Mercedes Kelley Tunstall, of counsel with the law firm Ballard Spahr LLP. ‘You can spend hundreds of millions of dollars on your systems and still be hacked every day,’ she says.
Tunstall, who leads the privacy and data security practice for the firm, says banks have to respond to shareholders, customers and regulatory agencies, while protecting credit card information, online banking and transfers of money. ‘You have to balance the risks against the costs,’ she says.
Hackers range from so-called hacktivists to governments, and it is difficult to identify the people who are shutting down banks' websites or stealing customer data.
‘You can trace back IP addresses, but it's hard to figure out who is sitting on the other side of the computer,’ says Tunstall, who is based out of the Washington, D.C., office of Ballard Spahr. ‘There are attacks where they snarl everything and make it impossible for customers to check their balance, and while the bank is busy getting everything back up and going, they can skim data.’
According to the Alexandria, Va.-based security firm Mandiant, many of the computer intrusion activities can be traced to China. Also according to Mandiant, 38% of cyber attack targets in 2012 were attacked again once the original incident was remediated.
Some of the attacks have been well publicized. The Washington, D.C.-based Center for Strategic and International Studies, in its Significant Cyber Events report, indicates that from May 2006 to February 2013, there were 124 ‘successful attacks on government agencies, defense and high-tech companies, or economic crimes with losses of more than a million dollars.’
The attacks on financial institutions included the June 2011 incident in which Citibank reported that credit card data for 360,000 of its customers were exfiltrated, or released without authorization, and the January 2013 attack in which the Iranian hacker group Izz ad-Din al-Qassam claimed responsibility for denial-of-service attacks against the websites of Ally Financial, BB&T, Capital One, Fifth Third Bank, HSBC, PNC, Wells Fargo, SunTrust and Zions Bank.
Banks and other companies do not like to share information about the attacks because of liability concerns.
‘There is nothing that gives them the ability to say, 'Here is what happened, the weakness was here, and we didn't think it was exploited but it was,'’ Tunstall explains. ‘Then the question is, was it reasonable not to address the problem until today? There are ways banks could be liable for attacks, so they need to stay closely guarded.’
New efforts from the White House and from Congress might change that. In February, President Obama signed an executive order, titled ‘Improving Critical Infrastructure Cybersecurity,’ that declares cyber intrusions to be a serious challenge to national security and calls for the federal government and the owners of the critical infrastructure to share information. The National Institute of Standards and Technology will work with industry to develop a framework of cybersecurity practices to reduce cyber risks to critical infrastructure.
The cybersecurity framework is optional, so the U.S. Department of Homeland Security will work with federal agencies to assist companies with implementing the framework and identify incentives for adopting it.
In April, the House Intelligence Committee approved the Cyber Intelligence Sharing and Protection Act. The bill, which calls for companies to voluntarily share information about cyber attacks against them, was recently approved by the House of Representatives with bipartisan support.
Smith points out that banks need to pay attention to third parties too. ‘It's important for banks and other lending institutions to take the proper precautions not only with respect to their own safeguards, but also with respect to their vendor partners,’ he says. ‘It's important that they regularly think about this issue, as the tactics attackers use are ever changing, so too must their safeguards.’
Smaller institutions are doing their part, says Lilly Thomas, vice president and regulatory counsel for the Independent Community Bankers Association in Washington, D.C.
‘Community banks rely on the FFIEC Guidance on Authentication in an Internet Banking Environment for information on employing controls to guard against cyber attacks,’ she says. ‘Additionally, because they rely on third parties and their core processors more heavily for their IT and online services, community banks work with third-party service providers to ensure specialized defense technologies and services.’
Nora Caley is a Denver-based freelance writer. She can be reached at firstname.lastname@example.org.