The growth of the digital economy throughout the world has been very beneficial to consumers, allowing many to pay for most transactions with the use of a card linked to a financial account or even through a contactless payment conducted via electronic device. However, the creation of financial data collected as a result of these payment methods, so that money can be routed from financial institutions to retailers, has increased the risk of that private data being stolen by hackers. This has focused the attention of most businesses on the concept of cybersecurity, a topic that we’ve written about here on IPWatchdog in the past.
Most of our readers will be familiar with many of the major corporations that have been hit by major data breaches in the past year or two. Target’s hacking scandal in the early stages of 2013 brought mainstream attention to the cybersecurity issue but other huge businesses like Neiman Marcus, UPS, Dairy Queen, Sony and Home Depot have all been targeted in recent months.
Also among the major hacking targets of 2014 was JPMorgan Chase, America’s largest bank in terms of assets. This underscores a growing concern in the fight against data theft: as cyber attacks grow in complexity, hackers are likely to stop targeting retailers and other stores and start to target the banks themselves. If they’re successful, this could have catastrophic consequences on our economy and global financial systems.
Banks Work to Cover the Rising Costs and Risks of Cybersecurity
Many members of the public are growing wise to the increasing threat of cyber attacks on their place of employment or even their personal lives. A recent study of American professionals conducted by Opinion Matters for GFI Software, an IT solution developer, found that 46 percent of respondents were victimized by a cyber crime within the past year. The survey also discovered that 43 percent of respondents thought that banks would be the greatest target for hackers and identity thieves in the coming year.
Even with this growing concern about cybersecurity risks at banks, American consumers still hold a lot of trust in these financial institutions. An infographic released by the American Bankers Association indicates that 73 percent of consumers trust banks to keep their payments safe. By contrast, only one percent trusts telecom companies, two percent trust retailers and eight percent trust alternative payment providers like PayPal. Of course, the account holders at a financial institution haven’t felt the same burn that the banks themselves have; the ABA infographic reports that, although bank consumers are liable for none of the damages of fraud, 83 percent of banks receiving reimbursement for fraud received less than 10 cents for every dollar stolen. Almost half received less than a penny on the dollar in reimbursement. This money includes anything stolen from financial accounts as well as the millions of dollars spent to issue new debit and credit cards to consumers.
The threat of cyber attacks on the networks of financial institutions is expected to pick up during 2015. There are those who worry that hackers will have the ability to increase the complexity of their attacks in the coming months. The best cybersecurity approach is a proactive one and there have been certain steps made in that direction. The ABA infographic highlights a few things that banks have done on their own to stem fraudulent activities, including the distribution of payment cards with electronic chips, which are more difficult to steal data from, and neural networks designed to detect unauthorized activities on a financial institutions networks. These programs are especially important at small and midsize banks where the cost of implementing new programs will likely become much more expensive as regulators step in to make sure banks stay afloat and consumers have their accounts adequately protected. Even without regulation enforcing cybersecurity at banks, large corporations like the Bank of America already spend about $400 million per year on addressing these risks.
Government Regulators Trying to Protect Our Wallets
Regulations will likely start rolling out in the coming year starting at the state level. In May of last year, for example, the New York State Department of Financial Services released a report which said that the agency would add cybersecurity measures to the list of items that it investigates when evaluating a bank’s overall safety and soundness. New York, and New York City in particular, is home to a huge banking industry that represents some of our nation’s largest financial institutions, including American Express, JPMorgan Chase, Goldman Sachs and Merrill Lynch. According to remarks made by NYS DFS Superintendent Benjamin Lawsky in late February, state regulations could involve the use of multi-layer authentication systems for firms regulated by the DFS.
The NYS DFS report found that most banks rely on a mix of in-house and outsourced information technology management resources for keeping financial accounts safe. Small banks rely the heaviest on outsourcing this work to vendors, which often increases their risk as the use of a third-party vendor adds another network layer that could possibly be infiltrated by hackers. Third-party vendors pose an additional problem for community banks as some use IT management vendors from outside of the community that the bank serves. Community bank account holders often tout the benefits of the bank being local and outsourcing cybersecurity practices could seem untrustworthy to some account holders.
Interesting, we’ve already been covering some activities by the federal government that may come into play as banks scramble to protect the secure financial data that is communicated digitally between account holders, stores and banks. The Cybersecurity Framework, an organizational approach to minimize risks involved with using digital communications developed by the National Institute of Standards and Technology, is heavily relied upon in this cybersecurity resource guide for bank executives which was developed by the Conference of State Bank Supervisors. This resource guide also includes a number of risk mitigation techniques relative to mobile banking applications to prepare for the estimated 96 million consumers who will adopt mobile banking by 2016. These recommended security measures include six-character PINs, dual authentication log-ins, automatic logouts after 15 minutes of inactivity and disallowing “jail-broken” electronic devices to participate on the mobile banking network.
Some governments are even pursuing penetration testing, also referred to sometimes as “war games,” to help strengthen the defenses of their most valuable banking institutions. Both the Bank of England and the U.S. Federal Reserve will likely be hacked by their respective governments in the coming months to identify vulnerabilities in their networks. It’s hoped that understanding these vulnerabilities will enable these institutions to proactively respond to threats before a malevolent actor can take advantage.
The potential risks of cyber attacks are so dire that it’s creating some strange political bedfellows. Major players in the fields of credit unions and banks, which are typically at odds with each other, have been supportive of federal initiatives to combat IT threats at financial institutions. This includes the creation of the Cyber Threat Intelligence Integration Center, announced recently by President Obama. The CTIIC will exist to help trace malicious cyber activities and identify the foreign sources of those threats.