Banks are discovering that holding other companies liable for cybercrimes committed against them is uncharted territory as authorities around the world sort out the details of a $45 million global bank heist that U.S. law enforcement officials exposed Thursday.
Because such attacks are rare and the sums stolen were so huge, the two Middle Eastern banks that were robbed face an uncertain path in trying to recover their losses, according to finance, insurance and legal experts.
The Bank of Muscat in Oman was worst-hit, losing $40 million, while the National Bank of Ras Al Khaimah PSC (RAKBANK) in the United Arab Emirates lost $5 million. Hackers broke in and raised withdrawal limits and account balances for thieves who tapped designated ATMs in 27 countries.
"We are exploring all avenues of recovery so as to protect shareholder interests and will advise the markets accordingly if there are any material developments in this regard," Muscat said in a statement.
Yet the path to recovery will be roundabout at best. The two banks could bring court claims against the companies that process the transactions, experts say, but those claims would depend on what specific contracts exist between the two parties. Some of them are industry-standard security contracts required by major credit card networks, but experts says that even if the processor failed to comply with security standards, banks may still be unable to get back their money because terms set by credit card companies typically limit the processor's liability.
"They can't make everybody whole, or they'll be out of business," Michael Klaschka of Integro Insurance Brokers told Reuters. "The bank may have very little recourse against the credit card processor."
The banks could also file claims with insurance companies, both through their own insurers or through those of the processing companies. In turn, the insurers could press claims against the processing companies or against their insurers. Although some banks have invested in available coverage against cybercrime, it is not known if Bank of Muscat or RAKBANK carried cyber insurance. In fact, the market for such policies is still quite new and nonstandard.
U.S. prosecutors will also seek restitution for the banks from the eight New York suspects arrested in the case, but the amount of funds available likely won't approach the total $45 million stolen.
"It's certainly possible that the bank could be left holding the bag," Frederick Rivera of financial services law firm Perkins Coie told Reuters.
Then there is the question of jurisdiction. Since both banks are located in the Middle East and one of the processing companies is based in India, it is unclear which court would have jurisdiction over the case. Still, credit card companies impose rules on banks and processors that apply across jurisdictions.