Home > Property & Casualty > Attention bankers: are you at risk for cybercrime?

Attention bankers: are you at risk for cybercrime?

financial cybercrimeCyber breaches for banking institutions have been a significant peril since computers entered the banking sphere a generation ago. Unfortunately, today the threat has been multiplied in complexity and magnitude. Last year, cyber thieves, disguised as a commercial customer, submitted nearly $700,000 worth in files of ACH credits to a large bank, using the proper ID and password information to authorize the transactions. Despite the bank’s own sophisticated scoring model used to validate the payment, it failed to catch the fraudulent activity; by the time the issue was discovered, the bank’s customer had lost a majority of the funds.

Kenneth Proctor, Managing Director, Risk Management and Compliance of Abound Resources, a leading risk control consultant to financial institutions, outlines many of risks and defensive practices in this month’s ABA Banking Journal.

The case mentioned in his article was hardly unique; unfortunately, it’s just one of two-decade’s worth of bank-related cybercrimes that have cost banks and their customers millions of dollars. A significant new area of risk, however, has emerged and many bankers are still not clear on how they are exposed or protected. Mr. Procter’s report goes on to describe other significant perils.

IT security experts say that many of today’s cybercrimes involve attacks on computer systems belonging to bank’s customers, whose computer networks may not be protected from “Trojan Horse” and other malicious software. For example, commercial depositor employees may visit a website that is secretly hosting dangerous malware, which can then track passwords, keystrokes and other security information that can be used by criminals to access a bank’s systems. Once they’ve obtained access, the thieves can use the Trojan to submit fake payments to the bank and transfer money to “money mules” or innocent parties who have had their own accounts attacked.

Cyber criminals often use sophisticated techniques during hijack sessions, such as using malware to monitor when account balances have reached a certain amount, and then determine how much to steal within a certain limit to avoid alerting the bank’s fraud-detection alarms. Even banks that use advanced third-party security services like cloud-based secure sites and encrypted transmissions passwords may fall victim to cyber breaches.

As a result, banks should also make sure they employ standard protections in their cyber risk management, including customer contracts and agreements, educating customers about security procedures they should employ, and using alternative methods or channels besides the cash management system to authenticate transactions, particularly by using alternative contact methods for confirmation of depositor instructions.

Finally, obtaining sufficient cybercrime insurance is critical in minimizing exposure to a breach. Many bankers may be unaware about whether or not their cyber fraud and privacy-related risks are covered in their insurance and fidelity-bond programs. Banks should review their coverage in detail and note any gaps where limits of coverage are inadequate or no coverage applies. Furthermore, today’s legal and regulatory-notification requirements after a breach are very rigorous and expensive to fulfill, and the standard sub-limited coverage for notification expense and required credit monitoring available to respond to these expenses often does not adequately protect policyholders.

About the Author

Roger Haynes is an Executive Vice President and the Financial Risks Practice Leader at WGA. He has over 25 years of experience with specialty claims and policy form issues that arise with all types of financial clientele including banks, broker dealers, money managers, mutual funds, investment advisors, real estate, insurance companies and lease and finance companies.

617.646.0220 | Rhaynes@wgains.com | Connect with Roger on Linkedin

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s