The revelation this week that international hackers have stolen as much as $1 billion from banks around the globe has renewed questions about the systemic risk cybercrime poses to the financial sector. A report released Monday by Russian security firm Kaspersky Lab indicates that the series of thefts constitutes the largest known bank heist in modern history, affecting more than 100 banks in 30 countries.
According to Rohini Tendulkar, economist at the International Organization of Securities Commissions (Iosco), the attack was "unprecedented ... in terms of sophistication and size."
Having teetered on the brink when individual banks collapsed during the housing crisis, could the financial system as a whole be vulnerable to cyberattacks?
“While the focus may still be on financial crime, over time we need to look at disruption from systemic challenges,” Vikram Bhat, principal in cyber risk services at consulting firm Deloitte & Touche, says. Financial cybersecurity still hinges largely on how well banks safeguard consumer information and accounts. But as attacks become more sophisticated -- and the profile of cyberattackers shifts from isolated groups to digital mafia and even nation-states -- risks to the system multiply exponentially.
Bhat isn’t alone in his concern over systemwide hazards presented by cybersecurity weaknesses. In 2013 a report from Iosco and the World Federation of Exchanges found that 89 percent of the world’s financial exchanges listed hacking as a “systemic risk.”
"One thing we learned, especially in [the] fallout of the recent crisis, is how interconnected the system is," Tendulkar says. “The interconnection is not just in terms of transactions and process, but IT infrastructures.”
When it comes to the technical systems that undergird the financial system, “people often aren’t aware of who they are connected to,” Tendulkar says. Attacks on banks can ripple across the system.
Over the past year cyberattacks have sent shudders through Wall Street and beyond. JPMorgan Chase revealed last fall that over 80 million accounts had been compromised in a data breach that went unnoticed for two months. In January the FBI released a criminal complaint in which Russian nationals, allegedly working for the Kremlin, discussed deploying high-frequency automated trading units as “mechanisms of use for destabilization of the markets.”
In 2013, federal prosecutor Preet Bharara brought charges against an Eastern European hacking ring that had attempted to infiltrate Nasdaq from a New Jersey hideaway. “Cybercriminals are determined to prey not only on individual bank accounts,” Bharara said at the time, “but on the financial system itself.”
Some feel these mounting threats underscore the need for a regulatory approach that acknowledges the systemwide risks of cybercrime. In a December hearing, U.S. Sen. Elizabeth Warren, D-Mass., pointedly questioned an official from the Office of the Comptroller of the Currency (OCC), an agency that ranks banks on the systemic risk they incur, “whether or not you take [cybersecurity] into account in ranking the institutions.”
Warren later took a Treasury spokesman to task over what she saw as that department’s inattention to cyber risk. “What I think I’m hearing you say is that you’re just telling the financial institutions to be sure to monitor,” she said.
For her part, Tendulkar worries that cyberattacks could threaten the infrastructure on which the financial system rests, from market exchanges such as the New York Stock Exchange to interbank communication networks. Whether from a hostile state or a rogue hacking group, such an attack could paralyze an increasingly interconnected and virtual market.
Policy, however, remains in flux. To date, no comprehensive cybersecurity legislation has made it out of Congress, hampered in part by protests over privacy and due-process concerns. Still, a patchwork of agency rules and recommendations has taken form over the past year. The SEC and OCC proposed new guidelines for cybersecurity preparedness late last year, and the interagency Federal Financial Institutions Examination Council announced plans to test banks on their ability to weather cyberattacks.
Even with this influx of regulatory attention, however, it took a Russian security firm for the U.S. to learn that some of its banks were apparently exploited in the largest financial heist in history. Though President Obama has proposed legislation that would require companies to disclose when they’ve undergone cyberattacks, banks currently have no obligation to tell customers about breaches.
The hacking ring that Kaspersky Lab discovered seems to harbor only financial motives; nothing indicates that it wanted anything more than cash. But the scale and breadth of the attack raises doubts that the financial system can fully safeguard against a new breed of cyber threats.
That insecurity, Tendulkar says, could be the greatest hazard facing a system that runs as much on trust as it does on dollars. “It can nurture doubt on the part of market participants in the integrity of the financial system,” she says. “It’s not clear what the protocols are at the institutional level -- or at the system level.”