Fears of a major cyberattack on banks have been rising since hackers successfully stole nearly $100 million from Bangladesh’s central bank in February 2016. Shortly after that incident, Russian central bank officials disclosed that hackers stole more than $31 million (two billion rubles) from the country’s central bank and commercial banks. SWIFT, the predominant messaging network used by banks, warned that these kinds of cyberattacks are set to rise.
According to the Boston Consulting Group, financial firms are 300 times more likely than other institutions to experience cyberattacks. Almost all financial institutions have experienced a cyberattack in one form or another, and the amount of cyberattacks is only increasing. In 2019, Mastercard reported that they experience over 460,000 intrusion attempts each day, which is an increase of 70% from the year prior. Financial institutions are better at detecting and containing cyberattacks than they are at preventing them, an area that severely needs to be improved upon for the safety of the banks and its customers.
The financial industry has struggled to keep pace with technological innovation, particularly given the extensive regulation governing its operations. While legacy technology may seem like just an inconvenience to consumers, it has become a major security risk for commercial banks, insurance companies, and their consumers. At the same time, hackers have benefited from new technologies that make it easier to hack into these legacy banking systems.
For example, the so-called two-factor authentication is a nearly bullet-proof way to secure consumer bank accounts. Banks send a temporary code to the consumer’s cell phone before allowing them to log in, which means hackers would need access to both the computer and the cell phone to gain access to the account. Despite the effectiveness of the method, several major banks don’t use two-factor authentication to protect consumer bank accounts. A large reason for this is that consumers find it to be frustrating and time-consuming.
Impact of Cyberattacks on Banks
Consumers have relatively little to lose from cyberattacks on banks, provided they weren’t lax about safeguarding their information, and they quickly notify the bank if funds are missing. U.S. federal law requires banks to refund customers if someone takes money from their account without authorization and they notify the bank within 60 days of the transactions appearing on their bank statement. Business accounts, however, have fewer protections and could be subject to greater losses.
Banks themselves have fewer assurances from the federal government that they would remain solvent if a major cyberattack were executed. According to some experts, the Financial Stability Oversight Council has largely failed to acknowledge and plan for cyberattacks that threaten the solvency of a major bank. These attacks could target bank processing systems and disrupt critical financial transactions needed to avoid margin calls, for example, triggering a default.
The U.S. government is aware that cyberattacks to financial institutions are a national security threat. The Federal Reserve claims that because of the interconnectivity of banks, the spillover effect of cyberattacks is great. They claim that a cyberattack on any of the five most active U.S. banks could affect 38% of the network. They also claim that cyberattacks on six small banks with less than $10 billion in assets could threaten one of the top five U.S. banks. It's important for institutions to realize that online connectivity has no borders and so the rapid spread of a cyberattack is a crucial element to address in cybersecurity.
Many banks already see millions of attempted attacks each year, resulting in modest losses, but the precedent set by the SWIFT hack on central banks indicates that these attacks are rapidly becoming more sophisticated and that institutions aren't keeping up as quickly as hackers.
The Bottom Line
Cybersecurity has become a paramount concern for the banking sector, but some banks have been hesitant to implement much-needed security measures. In addition, regulators have been slow to develop a plan to address major attacks if and when they occur. Consumers may be able to recover their money under federal law, but some experts are concerned that the escalating attacks could render a major bank insolvent if successful, or at least create a panic that leads to a run on a bank.