Cyber Crime

Willie Sutton, the famous bank robber who died in 1980, wrote in his autobiography “Where the Money Was,” that he enjoyed his profession. “I loved it,” he wrote. “I was more alive when I was inside a bank, robbing it, than at any other time in my life.”

Fast forward to the fall of 2013. The U.S. attorney’s office in the Eastern District of New York has released a photo of the faces of two men, saying both have pleaded guilty in a global heist that took $45 million in cash from ATM machines. Mobile phone photos entered into evidence, allegedly taken by the perpetrators, show wads of cash atop celebratory Coors Light cans.

The U.S. attorney’s office says criminals broke into the computer systems of third-party payment processors in India and the United States, and increased the maximum payouts allowed on prepaid debit cards. Then, they distributed the information to “cashiers” located in more than 20 countries-including the two posing with the cash and Coors Light-who promptly extracted the money from ATM machines in two separate incidents in December 2012 and in February 2013, according to the U.S. attorney’s indictments.

In total, $5 million was taken using MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC in the United Arab Emirates, also known as RAKBANK, and $40 million was taken within 10 hours using MasterCard debit cards issued by Bank Muscat in Oman. The U.S. attorney’s office did not release the names of the payment processors whose computer systems were hacked. The chief financial officer of Bank Muscat, which took a charge of up to $39 million against earnings, declined an interview request.

Cyber security experts say cyber attacks are becoming more sophisticated as criminals seek out weaknesses in the financial system, forcing banks and companies to make changes to security practices and improve their procedures. Bank boards in particular are worried about the risk, as new technologies such as mobile banking are making banks more vulnerable and as costs from a break-in are rising. Many a bank has ended up in a lawsuit with customers who expected the bank to make them whole for the theft.

Large, globally connected banks have a greater variety of threats than community banks do, but community banks have fewer resources to confront their very real challenges. Some community banks are advanced in terms of cyber security and others, quite frankly, are falling behind. Regulators have called attention to the seriousness of the issue, but knowing exactly what the risk is and how to protect your bank are difficult questions to answer. Still, regulators expect the board to oversee risk and specifically cyber risk, getting regular reports on the bank’s security and practices and holding management accountable for protecting the bank.

The underlying theme is that banks are getting attacked often, and when the attacks are successful, they are costly. In a survey of 60 large companies last year by the data and privacy research and consulting firm Ponemon Institute, the average annualized cost of cyber attacks was $11.6 million, a 26 percent increase in just one year. For financial institutions in the survey, it was $23.6 million. In a separate survey last year of 9,600 executives and information technology officers by consulting, tax and auditing firm PwC, financial services companies detected 4,628 cyber security incidents, adverse events that threaten some aspect of computer security, a 169 percent increase from the year before.

The threats are not only becoming more frequent and more costly, but increasingly sophisticated, according to regulators and security experts. Banks are getting attacked on multiple fronts: some of the biggest U.S. banks were victims of recent distributed denial-of-service (DDoS) attacks that took down their websites and interrupted their ability to do business, allegedly with the participation of the Iranian government. In addition, so-called hacktivists make a hobby out of penetrating a company’s or organization’s computer system for fun or to make political statements. Many of the cyber security attacks at community banks revolve around phishing or malware attacks on their customers, where a criminal installs malicious software on a victim’s computer to get access to passwords for bank accounts and other identifying information. Phishing uses email or social media to get someone to click on a link that looks like it comes from a trustworthy source and enter sensitive information such as bank account numbers, passwords or social security numbers.

The most common source of security incidents is employees or vendors with insider access to money or information, but the higher average cost comes from organized criminals, says Joe Nocera, the financial services information technology (IT) security and risk practice leader at PwC. Five years ago, a cyber criminal was usually part of a small group or a loner. Nowadays, there are teams located throughout the world who communicate with each other. “They are specialized,” Nocera says. “They have teams looking for vulnerabilities and other teams that penetrate and a third team that moves money electrically around the world. They almost take an assembly line approach.”

Comptroller of the Currency Tom Curry gave a speech in September 2013 where he referred to the growing sophistication of hackers and the increasing frequency of attacks. He said new technologies such as mobile banking, social media and cloud computing introduce a new set of potential weaknesses to the system and new points of entry for hackers.

“From a vulnerability perspective, we are at increased risk due to our banking system’s significant reliance on technology and telecommunications, and the interconnections between these systems,” he said. “Banks not only operate their own networks, they also rely on third parties to support their systems and business activities. Some of these third parties have connections to other institutions and servicers. Each new relationship and connection provides potential access points to all of the connected networks and introduces different weaknesses into the system.”

The Office of the Comptroller of the Currency (OCC)’s spring 2013 Semi-Annual Risk Report was the first time that document identified cyber security as a key component of operational risk. The OCC sees community banks as particularly vulnerable to attacks. Large banks may have hundreds of information security specialists or people who have some role in cyber security, according to Curry. The OCC has examiners for these banks whose sole job is to assess the company’s cyber risks.

Community banks, on the other hand, may not have to worry to the same extent as big banks about foreign government threats and denial-of-service attacks, but they may be more vulnerable to other attacks because they have fewer resources, says Vivian Maese, an attorney with Dechert LLP in New York who specializes in cyber security. “The technological capability of the bad actors is accelerating at such an extraordinary pace,” she says. The OCC is focusing particularly on community banks and thrifts. “As our largest institutions improve their defenses, it is very likely that hackers will turn their attention to community banks,” Curry said in his September speech. Mike Urban, the director of financial crime risk management at Fiserv, which sells a host of different IT, payment and security services to financial institutions, says his clients are telling him they are getting more questions from regulators about their cyber risk practices. “The smaller you are, the bigger the potential hit to the organization,” he says. “[Cyber fraud] could potentially destabilize a smaller institution.”

Randy Romes, who handles cyber crime investigations at tax, audit and consulting firm CliftonLarsonAllen in Minneapolis, says the most frequent calls he gets for community banks are for so-called corporate account takeovers, where criminals access a customer’s account online. He sees the biggest problem not in the bank’s security, but in the customer’s, which then becomes a problem for the bank. “The criminals have figured out the banks are more difficult to break into, but their customers are not.”

Many business customers of banks don’t have anything approaching standard IT controls. “The IT function is to keep the lights on,” Romes says. “Anything that gets in the way of efficiency isn’t considered.” A standard entry way for criminals is accessing a customer’s bank account through malware or phishing. That’s apparently what happened at Park Sterling Bank in Charlotte, North Carolina, in May 2012, when criminals gained access to the computer, and therefore, the bank trust account of a bank customer. To the bank, it looked like the wire transfer order for $336,600 was coming from the computer of the trust account holder, the law firm Wallace & Pittman, via the customer’s Internet Protocol address, according to court records, although Wallace & Pittman denied that assertion. The criminals knew the law firm’s user name, password and answers to challenge questions. The money was transferred to a JPMorgan Chase & Co. account holder in Moscow. The funds were never recovered, according to court documents. Park Sterling temporarily put $336,600 into Wallace & Pittman’s account after the theft, which the customer transferred out of the bank, closing the bank account, according to the lawsuit. Park Sterling sued the customer for the $336,600, saying Wallace & Pittman had signed an agreement ensuring the bank wasn’t responsible for unauthorized use of the customer’s computer or passwords, and that the customer had specifically declined “dual control” on the account, which would have required two people at the firm to sign off on any wire transfers.

Wallace & Pittman’s counterclaim denies the law firm was told anything about dual control, and says the bank failed to provide even a basic level of security and education for business customers, as outlined in the 2011 guidance from the Federal Financial Institutions Examination Council (FFIEC), a group of banking regulators. James Wallace, a partner in the firm, said the case was settled for an undisclosed sum. Park Sterling’s CEO and attorneys did not return phone calls.

“Banks need to help the business customers get better at this,” Romes says. He suggests that banks should require customers to have elevated security measures such as dual control, although usually the banks don’t want to inconvenience customers. Guidance from the FFIEC urges banks to at least educate consumers on how to protect themselves from attacks. The regulatory guidance also wants banks to have multiple layers of authentication, not a single layer such as a password or Internet Protocol address of the person’s computer. One example of a type of additional security is a security token that must be in the user’s possession, such as a USB token, with a secret password that is transmitted during the transaction but not visible to the user (or hacker) on the computer. “The trick for the bank is designing a system where a log in and password is not sufficient,” says Nocera. Another optional level of security for customers is a list of authorized payees, Romes says. Any time a different payee is authorized, the customer would get a notice. Some of the online banking vendors such as Jack Henry & Associates and Fiserv offer anomaly detection software that will flag the bank if an unusual transaction occurs. The cost of such software ranges from $50,000 to more than $1 million, depending on the size of the bank and type of software, Nocera says.

Business customers are often targeted for wire fraud because their accounts tend to have more money than consumer accounts and they are often set up for wire transfers. However, banks vary in terms of whether they reimburse the customer or not for a cyber theft. Often, banks make that decision on a case-by-case basis, making sure to take care of their most important, best customers. What doesn’t vary, however, is that overwhelmingly, all customers think the bank should be responsible for the loss. It doesn’t matter whether they signed an indemnification agreement with the bank. They probably don’t remember that they signed one anyway. “In the event of fraud, they are expecting the bank to take care of the loss,” Romes says.

As in the Park Sterling case, this has led to some ugly lawsuits between customers and their banks, not to mention a damaged reputation for the bank. Understanding how to protect your bank legally is tricky. There is a patchwork of some 46 different federal and state data and privacy laws, says Edward DeMarco, Jr., general counsel at The Risk Management Association. Courts have generally said that an indemnification contract with a customer alone doesn’t absolve the bank of liability. Under the Uniform Commercial Code, which governs funds transfers and has been adopted in most states, a bank must refund unauthorized payments except in certain circumstances, as when the customer and the bank have agreed on a security measure that is “commercially reasonable,” according to the law firm Poyner Spruill LLP in North Carolina. The definition of “commercially reasonable” is somewhat vague, however.

Michigan is one state that has adopted the Uniform Commercial Code, so when a Michigan custom metal fabricating company called Experi-Metal fell victim to a phishing email in 2009, a judge agreed the bank had “commercially reasonable” security measures and referred to the FFIEC guidance on the matter. An employee of Experi-Metal had clicked on a phishing email and entered the company’s passwords, log-in information and secure token identifying information, allowing criminals to submit 93 fraudulent wire transfers between the hours of 7:30 a.m. and 2:02 p.m. on Jan. 22, 2009, for a total of $1.9 million. Most of the wire transfers were for bank accounts in countries that often originate attacks, such as Russia and Estonia, according to the judge’s summary of the case in U.S. District Court for the Eastern District of Michigan.

Experi-Metal sued its bank, Dallas-based Comerica Bank, for the $560,000 the bank failed to stop or recover. The judge ruled in June 2011 against the bank, saying it had not acted in good faith. Considering the volume and suspiciousness of the orders, the bank should have “detected and/or stopped the fraudulent wire activity earlier.” A Comerica Bank spokesman issued a statement that said the bank met or exceeded standards, and said it was important for all businesses to protect their computers and monitor employees.

In another case called Patco Construction Co. versus People’s United Bank (formerly Ocean Bank), the existence of an indemnification agreement with a business customer also became irrelevant. The First Circuit Court of Appeals in 2012 found that the bank was on the hook for $345,000 that was not stopped or recovered in a wire fraud, in part because the bank used software to code suspicious activities as “high risk” but didn’t alert the customer or stop the wire transfers as a result.

One way to protect the bank when all else fails is to buy cyber insurance. Some banks don’t like cyber insurance because coverage can be limited. Policies may cover the cost of mailing notices to customers, paying for credit monitoring services for your customers, legal expenses and handling an investigation, but not for theft of money, which is usually picked up by a fidelity bond, says insurance broker Dennis Gustafson, financial institutions practice leader at AHT Insurance. “If it’s a theft of social security numbers or credit card numbers, that’s where your cyber insurance policy comes in,” he says. Banks also can buy insurance against a breach of a vendor’s systems. “If Fiserv has a major breach, the customer doesn’t know it’s Fiserv, and the customer is going to bring a lawsuit against the bank,” Gustafson says. Vendors that are well known in the industry will be easier to underwrite on the bank’s policy because insurance companies have probably already underwritten them, he says.

Each policy is different, and premiums range from $5,000 to $20,000 per $1 million worth of coverage, according to Gustafson. He recommends looking at the bank’s risks and paying for insurance coverage that works for the individual bank. DeMarco also thinks insurance is probably a good idea. “Folks are saying they are more worried about cyber security than they are worried about hurricanes like Hurricane Sandy,” says DeMarco. “Hurricanes like Sandy are a once-in-a-100-year event. Everybody has insurance for the hurricane but not for cyber security.”

Another benefit to getting insurance is the process of underwriting, where the insurance company can suggest security improvements and help the bank assess its particular risks. Whether or not the bank buys cyber insurance, the board needs to make sure it understands the bank’s security practices, the nature of the bank’s risks and what the bank is doing about it. The board should have someone who can translate technical terms for the board, even if it’s not the chief information security officer or chief information technology officer for the bank. The board should have senior management prepare regular reports on the risks the institution is facing and the security programs that are in place, says Kim Peretti, an attorney with Alston + Bird LLP and a former federal prosecutor. “For most institutions, the issue of cyber security has to be on the board’s agenda,” she says. “They need to be asking probing questions.”

Regulators have been clear on the board’s role in cyber risk. The FFIEC’s IT examination handbook says the board is responsible for overseeing the development, implementation and maintenance of the IT program, and for making senior management accountable for its actions. Oversight requires the board to approve information security plans, policies and programs, and to review the effectiveness of those programs. “Your culture has to really value security and that has to cascade to everything you do,” says the OCC’s deputy comptroller for operational risk, Carolyn DuChene.

One banker trying to make sure everyone at the bank is involved in security is Bill Perotti, the chief credit officer and chief risk officer for the San Antonio-based Cullen/Frost Bankers Inc. He says the $23.5-billion asset bank makes reports quarterly on cyber risk to the board’s risk committee. All the different departments at the bank, such as operations, audit and deposit services agree on how to define fraud, report it and produce a consolidated report.

About a year ago, Cullen/Frost also created a special fraud awareness committee of management to disseminate information about attacks and prevention across the bank. “People didn’t know that only 2 to 5 percent of our emails get through our firewall,” he said, noting how frequently spammers and fraudsters try to access the bank. “You can’t manage or reduce the level of risk without knowing what’s going on.” The committee also is charged with overseeing training of all the bank’s employees on security measures, making sure the training is appropriate to each job. Perotti says Frost Bank employees also call customers to educate them about protecting their businesses, a practice he considers superior to email education campaigns. “It’s constant diligence,” he says. “I wish there was a panacea or magic pill but there isn’t.”

Glenn Wilson, the president and CEO of $1-billion asset AmeriServ Financial, a banking institution in Johnstown, Pennsylvania, says his bank calls every customer who initiates a wire transfer to confirm. If the person can’t be reached, the wire transfer is not executed. Wilson wants to improve communication between banks on cyber threats. When he learned two other banks in Pennsylvania were targeted by organized cyber criminals about a year ago, he realized his bank wasn’t getting any information from law enforcement about types of attacks and how to prevent them. A corporate account at one bank had been hacked while criminals wired more than $1 million to Russia, he says. When the bank tried to contact the customer about the suspicious transaction, the bank couldn’t get through, because someone had simultaneously taken down the customer’s phone system for two days, he says. Another bank had its own computer systems penetrated by criminals, who disrupted IT staff while wiring themselves more than $50,000. Alarmed, Wilson, who is on the board of the Pennsylvania Bankers Assn., suggested the association start a task force so banks could communicate with each other about trends in cyber security and attacks. The task force is working to provide resources and action plans for member banks, many of whom are small banks without the resources to do this on their own, says task force member Ben Wallace, the executive vice president of operations and technology for Orrstown Bank, a $1.2-billion asset bank in Shippensburg, Pennsylvania.

Another potential hardship for banks is assessing the risk posed by bank vendors. Regulators, including the OCC, are particularly worried about the risks posed by these vendors, and the increasing use of them during the past few decades to handle everything from online banking to payment processing. In an October 2013 bulletin, the OCC emphasized that outsourcing functions to third parties doesn’t diminish management’s and the board’s responsibility to make sure those outsourced functions are performed in a safe and sound manner. All banks, including community banks, must have risk assessment practices in place for third-party relationships, the OCC said.

Dealing with a vendor that has had a colossal breach can be devastating, possibly resulting in years of expensive litigation and causing reputational harm. The risks are hard to quantify but a discussion at the board level is probably necessary. If protecting your customers is a priority, then cyber security is a priority, says the OCC’s DuChene. No bank wants to end up in the shoes of Bank Muscat, Park Sterling or People’s United.

Dechert attorney Tim Blank says banks need to continually assess the quality of their own security and that of their vendors. Imagine if 100 years ago, bank leadership didn’t feel the need to lock the bank vault. It’s the same need today, but the bank needs sophisticated defenses to ward off the criminals, he says. “The law is at a stage where you are expected to be very proactive as a director,” he says. “It’s a cost of doing business for sure. It’s not an item that can be put off.”